XHR WP-JSON Request Returns 403
-
Hello,
Report number: NZUODOZZ
I’ve been using your plugin for many years and so am quite familiar with it. However, I am having a problem I’ve never encountered before with one of my client sites.
The site in question uses The Events Calendar by Modern Tribe (I have tested for plugin conflicts – please see below). When on the linked page (the URL provided as the one I need help with), on the initial page view it is possible without any problem to navigate to the previous or next page of results using the pagination navigation at the bottom of the page.
However, if you attempt to do the same thing after clicking ‘previous’ or ‘next’ (i.e. after the XHR request has returned data, which has in turn been injected into the page), the XHR request that fetches the next result set will fail and return a 403.
This problem is always consistent – the links work fine after the initial page load but never after paging through the feed. It doesn’t matter whether you try to move forward or backwards through the results. The issue also persists when I am logged in as an admin (and my user role is excluded from all caching and optimisation).
After a bit of investigation, I noticed that in the request data for the responses that return a 403, the nonce sent in the XHR has a curly brace and a slash at the end, like so: “_wpnonce: 8c827720d6{\”, however in the requests that work on the initial page load, the nonce is purely alphanumeric like so: “_wpnonce: 29d1a263eb”. It looks like the HTML returned via the initial XHR is corrupt in some way, which leads to a corrupted nonce being sent in subsequent requests.
I haven’t been able to reproduce this issue on my development server (which is an exact file/db replica of the live site). The only plugin that is not running on my development server is the LiteSpeed cache plugin, which suggests that it is this plugin that is causing the issue.
With the plugin enabled, I have also tried the following settings:
- Page caching activated, but all pages starting with /events/ are excluded, as are admin users
- JS minification / concatenation deactivated, so original JS files are being served whether the user is logged in/out
- Serve stale switched off
- Caching for REST deactivated
- _wpnonce added to ESI excludes (which itself is turned on)
I have already spoken to my web host, who have confirmed that there are no firewall rules at their end that could be affecting the XHR requests. I have also tested whilst bypassing Cloudflare to eliminate any interference from their WAF rulesets.
Please could you advise on the above?
The page I need help with: [log in to see the link]
- The topic ‘XHR WP-JSON Request Returns 403’ is closed to new replies.