Make WordPress Core

Opened 7 years ago

Closed 2 months ago

#43617 closed enhancement (duplicate)

Nonce invalid messages non-informative, needs changed

Reported by: mpol's profile mpol Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: General Keywords:
Focuses: Cc:

Description

As a followup to the "Cheating uh?" patch that has gone into WP 4.9.5, I think the message for an invalid Nonce can be improved.

I often run into the situation where I leave a webpage open for a day, planning to respond with a comment or something similar. By the time I post something, the Nonce is invalid. I then get an empty page with "Are you sure you want to do that?". I think "Yes" and reload the page, only to have the same error. I get slightly annoyed at the UI and have to hit the Back-button of my browser, which needs active thinking.

I think I am not alone in this. It is not just spammers hitting these messages. And I think it can be improved.

I think it would be good to explain what happened, even if it is too technical. The Nonce was invalid, and that needs to be conveyed. I am just not sure how what is a fitting message for most users while still informative.
"The Nonce on the page did not validate. If you are sure you want to do this, please go back and try again." might be a better message.

It could be followed by a backlink taking you back to the previous page. That could be based on the HTTP Referrer. If that is not available, a link with JavaScript with a 'history.back()' could do this job. I am not sure if that last option will refresh the page and thus the Nonce.

Attachments (1)

43617.png (81.6 KB) - added by peterwilsoncc 7 years ago.

Download all attachments as: .zip

Change History (6)

#1 follow-up: @karmatosed
7 years ago

I would caution exposing the word 'nonce' as it has slang meanings we probably do not want to show to a user in some cultures. I understand it is a technical term, but it is also not a great slang word.

I am however in favour of making the message more appropriate leaving out that word.

Version 0, edited 7 years ago by karmatosed (next)

@peterwilsoncc
7 years ago

#2 @peterwilsoncc
7 years ago

Screenshot of error page in 43617.png.

Thanks for the report, I agree this can be improved.

Some logic may need to be added to core to differentiate between form submissions and link actions.

Related #38332, #43622

#3 in reply to: ↑ 1 @SergeyBiryukov
3 years ago

Replying to karmatosed:

I would caution exposing the word 'nonce' as it has slang meanings we probably do not want to show to a user in some cultures, for example the UK. I understand it is a technical term, but it is also not a great slang word.

I am however in favour of making the message more appropriate leaving out that word.

Related: #50382

#4 @tw2113
2 months ago

I feel like this one is probably good to close as resolved. I'm not finding the original "Cheating uh?" message string in trunk at the moment, and because of that, it feels like there's nothing left to resolve here.

#5 @johnbillion
2 months ago

  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Agreed, this was improved in #38332, the message for an expired nonce now says "The link you followed has expired" and there is a "Please try again" link which takes you back to the referring page.

Note: See TracTickets for help on using tickets.