Changeset 3462956

Timestamp:

02/16/2026 10:26:07 PM (4 days ago)

Author:

gkanters

Message:

Fix frontend batch-strings 403 on cached pages by allowing anonymous same-site requests when inline nonce is stale; keep referer/origin validation and existing rate limiting.

Location:

ai-translate

Files:

• tags/2.2.8/ai-translate.php (modified) (1 diff)
• trunk/ai-translate.php (modified) (1 diff)

ai-translate/tags/2.2.8/ai-translate.php

@@ -1235 +1235 @@
                 return true;
             }
+
+            // Public frontend pages can be heavily cached, causing stale inline nonces.
+            // Allow anonymous same-site requests without requiring a valid nonce.
+            if (!is_user_logged_in()) {
+                $origin = isset($_SERVER['HTTP_ORIGIN']) ? (string) $_SERVER['HTTP_ORIGIN'] : '';
+                if ($origin !== '' && strpos($origin, home_url()) !== 0) {
+                    return new \WP_Error('rest_forbidden', 'Invalid origin', ['status' => 403]);
+                }
+                return true;
+            }
+
             return new \WP_Error('rest_forbidden', 'Invalid nonce', ['status' => 403]);
         },

ai-translate/trunk/ai-translate.php

@@ -1235 +1235 @@
                 return true;
             }
+
+            // Public frontend pages can be heavily cached, causing stale inline nonces.
+            // Allow anonymous same-site requests without requiring a valid nonce.
+            if (!is_user_logged_in()) {
+                $origin = isset($_SERVER['HTTP_ORIGIN']) ? (string) $_SERVER['HTTP_ORIGIN'] : '';
+                if ($origin !== '' && strpos($origin, home_url()) !== 0) {
+                    return new \WP_Error('rest_forbidden', 'Invalid origin', ['status' => 403]);
+                }
+                return true;
+            }
+
             return new \WP_Error('rest_forbidden', 'Invalid nonce', ['status' => 403]);
         },