Make WordPress Core

Opened 8 years ago

Last modified 10 months ago

#15394 new defect (bug)

Ancient "Are you sure you want to do this" now confusing

Reported by: ozh Owned by:
Milestone: Future Release Priority: normal
Severity: minor Version: 3.1
Component: Security Keywords: ux-feedback needs-patch dev-feedback
Focuses: Cc:


The default failing nonce message did not pass the wife test. Asking "Are you sure you want to do this?" now that there is no longer "OK" and "Cancel" buttons is confusing and my wife just asked me "How do I tell I'm sure?"

Not sure about the best wording, I took the same approach as Twitter's expired OAuth token links with a message that does not let user think there is something to confirm.

Attachments (2)

ays-message.diff (759 bytes) - added by ozh 8 years ago.
sure.jpg (186.5 KB) - added by Presskopp 23 months ago.

Download all attachments as: .zip

Change History (20)

8 years ago

#1 @ozh
8 years ago

  • Version set to 3.1

#2 @ocean90
7 years ago

  • Keywords ux-feedback added; semantics removed

#3 @nacin
7 years ago

  • Keywords 3.2-early added
  • Milestone changed from Awaiting Review to Future Release


#4 @hakre
7 years ago

+1 to fix, the old message was misleading.

#5 @azaozz
7 years ago

The "Link has expired" message is better than "Are you sure" but IMHO still quite vague for the average user. Perhaps it can be "This action has failed" as suggested in http://core.trac.wordpress.org/ticket/8552#comment:3.

Also it doesn't offer an action for the user to continue. As far as I can see nearly all legitimate nonce errors are caused by expired user login. Perhaps we can add a link to [site]/wp-admin (needs to be audited) or even go further and check if the user is logged in when generating the "nonce failed" message and show alternate explanation:

User logged in: "This action has failed. [Back to WordPress admin]
Login expired: "Your login has expired. Please [log in] again.

#6 @hakre
7 years ago

"That Request has expired and is not valid any longer. Please go back and start over."

If a login expires, isn't the user redirected to the login form already? "Reauth"

Related: #14060

#7 @ramiy
7 years ago

Related: #18218

#8 @toscho
6 years ago

  • Cc info@… added

#9 @scribu
6 years ago

  • Keywords needs-patch added; has-patch ays removed

As azaozz said, the wording in the current patch isn't too much of an improvement. It can be shown when submitting a form, for instance.

I don't think we need to provide any link. The Back button should be good enough.

#10 @c3mdigital
5 years ago

#21189 was marked as a duplicate.

#11 @nacin
4 years ago

  • Component changed from Warnings/Notices to Security

#12 @ericlewis
4 years ago

It sounds like we have two ways to go here.

We go down the rabbit hole, and attempt to give the user as much detail as we can about the issue. Whether they're logged in, whether the nonce failed, perhaps even what nonce, etc.

We give a blanket "this thing broke" error, and point them in the right direction of where to go from here.

#14 @chriscct7
2 years ago

  • Keywords dev-feedback added; 3.2-early removed
  • Severity changed from trivial to minor

#15 @ericlewis
2 years ago

What's the simplest way to reproduce this?

23 months ago

#16 @Presskopp
23 months ago

The question to the end is totally senseless here. It's senseless because it's a listing of errors, nothing to choose (yes/no), and even if I could, which one would I choose :) ?

#17 @karmatosed
20 months ago

As far as possible giving an actual thing you can do or next action is far better than a blanket message. The 'are you sure you want to do this' has always felt weird to me. We lead users to second guess and that's really not cool. I'm commenting to try and get some progress on this and see if we can get this worked on again.

This ticket was mentioned in Slack in #core-customize by paaljoachim. View the logs.

10 months ago

Note: See TracTickets for help on using tickets.