timholz

Thank you for suggesting ‘send_headers’. I made some tests and it seems to be the appropriate hook. The warning does not appear any more. Regards

@qtwrk – thank you. This works well. Regards

@qtwrk – thanks for responding. I want to generate some kind of feedback-message, that the purging has been successfully completed.

@litetim – thank’s a for the specification. Regards

@litetim – like so?:

add_action('litespeed_purged_all', 'report');
function report($report){
return $report;
}

• This reply was modified 2 months, 1 week ago by timholz.

@serafinnyc – thanks for the specification and your support. Regards theo

Hi @serafinnyc Thanks for the feedback. Did you test with the link i provided? What is PDP?

@litetim – thanks for responding.

the site has a sign from HTML

What does that mean and why is it there? Why is this url called? Is there a way to change that?

I found the reason. Sorry to bother you. Regards theo

• This reply was modified 3 months ago by timholz.
• This reply was modified 3 months ago by timholz.

Thanks a lot for this concise information. regards theo

CSP and the measures to protect scripts is something to keep in mind. Millions of people use litespeed. And all these people are somehow vulnerable with nonces that live for 12hours… Let us see where this csp stuff is going. Thank you.

Thanks for your care. But as i said this is not cryptographically random and therefore not suitable for csp.

And another test with esi enabled and 'my-nonce-name' added to esi-nonces field:

do_action('litespeed_nonce', 'my-nonce-name');
 $GLOBALS['testnonce'] = wp_create_nonce('my-nonce-name'); //to retrieve value in various places

Shows the same nonce throughout the whole site. do_action('litespeed_nonce','my-nonce-name'); does not do anything. I conclude that this is good for nothing. The rest of litespeed works well though.

• This reply was modified 3 months ago by timholz.

OK. This is my test:

add_action( 'run_custom_nonce_value', 'custom_nonce_value' );
    function custom_nonce_value(){
    do_action('litespeed_nonce', 'GurkensalatmitSauce');
    $created_nonce = wp_create_nonce('GurkensalatmitSauce');
    echo 'nonce_test: '. $created_nonce;
    return $created_nonce;
}

Esi enabled and ‘GurkensalatmitSauce’ added to the list. The echo is:

nonce_test: nonce_test: [an error occurred while processing this directive] 5d557226b9 

In the console i get various errors that scripts and inline scripts are rejected. With ESI disabled no errors at all, but everywhere the same nonce.

• This reply was modified 3 months ago by timholz.
• This reply was modified 3 months ago by timholz.

Yes, i am. I tried wp_create_nonce() and found out that it is the same nonce value throughout the whole website. It never changes and it is, as i learned, not cryptographically random, too.

I noticed that Convert custom nonce to ESI exists. I’ve even tried it. But without any success. The example is not very clear. For instance:

Then you need to call the API somewhere before that line, like so:

What does that mean? Somewhere before? Within the function that has wp_create_nonce() or outside?

• This reply was modified 3 months ago by timholz.
• This reply was modified 3 months ago by timholz. Reason: spelling

Thanks for responding. Reading the usage example, i presume that this applies to specific html elements. But how does this apply to nonces? Do i have to exclude the whole script from being cached? I tried:

add_filter("TOA_PLUGIN/nonce_scriptx", function ($_) {
    // put the data in cache to be sure to return the same value on all calls
    if (!isset($GLOBALS["TOA_PLUGIN"]["nonce_scriptx"])) {
 
        $GLOBALS["TOA_PLUGIN"]["nonce_scriptx"] = bin2hex(random_bytes(12));   
        
    }
    echo apply_filters( 'litespeed_esi_url', 'my_esi_block', 'Custom ESI block' );
    return $GLOBALS["TOA_PLUGIN"]["nonce_scriptx"];
    
});

and then the function the action hook as described. Result: an error is issued. Obviously this does not really apply.

• This reply was modified 3 months ago by timholz.