Thanks for responding. Reading the usage example, i presume that this applies to specific html elements. But how does this apply to nonces? Do i have to exclude the whole script from being cached? I tried:
add_filter("TOA_PLUGIN/nonce_scriptx", function ($_)
// put the data in cache to be sure to return the same value on all calls
if (!isset($GLOBALS["TOA_PLUGIN"]["nonce_scriptx"])) $GLOBALS["TOA_PLUGIN"]["nonce_scriptx"] = bin2hex(random_bytes(12));
echo apply_filters( 'litespeed_esi_url', 'my_esi_block', 'Custom ESI block' );
return $GLOBALS["TOA_PLUGIN"]["nonce_scriptx"];
);
and then the function the action hook as described. Result: an error is issued. Obviously this does not really apply.
- This reply was modified 4 hours, 6 minutes ago by timholz.
Plugin Support
qtwrk
(@qtwrk)
are you creating your own custom nonce system?
why not use the wordpress’s own wp_create_nonce()
? we have native ESI support for WP nonce
Yes, i am. I tried wp_create_nonce() and found out that it is the same nonce value throughout the whole website. It never changes and it is, as i learned, not cryptographically random, too.
I noticed that Convert custom nonce to ESI exists. I’ve even tried it. But without any success. The example is not very clear. For instance:
Then you need to call the API somewhere before that line, like so:
What does that mean? Somewhere before? Within the function that has wp_create_nonce() or outside?
Plugin Support
qtwrk
(@qtwrk)
well , that’s how wp made its nonce
ref: https://developer.projectdmc.org/apis/security/nonces/
back to topic
imagine you have a code like
...
wp_create_nonce('my-nonce-name');
...
then you change it to
...
do_action( 'litespeed_nonce', 'my-nonce-name' );
wp_create_nonce('my-nonce-name');
...
or you can add some check , to see if LSCWP or ESI is enabled
...
if (!defined('LSCWP_V') || ! apply_filters( 'litespeed_esi_status', false ) )
do_action('litespeed_nonce', 'my-nonce-name');
wp_create_nonce('my-nonce-name');
...
or even simpler , just go to LiteSpeed Cache -> Cache -> ESI -> enable ESI , add my-nonce-name
into ESI nonce list , save and purge.
OK. This is my test:
add_action( 'run_custom_nonce_value', 'custom_nonce_value' );
function custom_nonce_value()
do_action('litespeed_nonce', 'GurkensalatmitSauce');
$created_nonce = wp_create_nonce('GurkensalatmitSauce');
echo 'nonce_test: '. $created_nonce;
return $created_nonce;
Esi enabled and ‘GurkensalatmitSauce’ added to the list. The echo is:
nonce_test: nonce_test: [an error occurred while processing this directive] 5d557226b9
In the console i get various errors that scripts and inline scripts are rejected. With ESI disabled no errors at all, but everywhere the same nonce.
And another test with esi enabled and 'my-nonce-name'
added to esi-nonces field:
do_action('litespeed_nonce', 'my-nonce-name');
$GLOBALS['testnonce'] = wp_create_nonce('my-nonce-name'); //to retrieve value in various places
Shows the same nonce throughout the whole site. do_action('litespeed_nonce','my-nonce-name');
does not do anything. I conclude that this is good for nothing. The rest of litespeed works well though.
- This reply was modified 23 seconds ago by timholz.