WordPress.org

Make WordPress Core

Opened 19 months ago

Last modified 19 months ago

#43617 new enhancement

Nonce invalid messages non-informative, needs changed

Reported by: mpol Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: General Keywords:
Focuses: Cc:
PR Number:

Description

As a followup to the "Cheating uh?" patch that has gone into WP 4.9.5, I think the message for an invalid Nonce can be improved.

I often run into the situation where I leave a webpage open for a day, planning to respond with a comment or something similar. By the time I post something, the Nonce is invalid. I then get an empty page with "Are you sure you want to do that?". I think "Yes" and reload the page, only to have the same error. I get slightly annoyed at the UI and have to hit the Back-button of my browser, which needs active thinking.

I think I am not alone in this. It is not just spammers hitting these messages. And I think it can be improved.

I think it would be good to explain what happened, even if it is too technical. The Nonce was invalid, and that needs to be conveyed. I am just not sure how what is a fitting message for most users while still informative.
"The Nonce on the page did not validate. If you are sure you want to do this, please go back and try again." might be a better message.

It could be followed by a backlink taking you back to the previous page. That could be based on the HTTP Referrer. If that is not available, a link with JavaScript with a 'history.back()' could do this job. I am not sure if that last option will refresh the page and thus the Nonce.

Attachments (1)

43617.png (81.6 KB) - added by peterwilsoncc 19 months ago.

Download all attachments as: .zip

Change History (3)

#1 @karmatosed
19 months ago

I would caution exposing the word 'nonce' as it has slang meanings we probably do not want to show to a user in some cultures, for example the UK. I understand it is a technical term, but it is also not a great slang word.

I am however in favour of making the message more appropriate leaving out that word.

Last edited 19 months ago by karmatosed (previous) (diff)

@peterwilsoncc
19 months ago

#2 @peterwilsoncc
19 months ago

Screenshot of error page in 43617.png.

Thanks for the report, I agree this can be improved.

Some logic may need to be added to core to differentiate between form submissions and link actions.

Related #38332, #43622

Note: See TracTickets for help on using tickets.