XHR WP-JSON Request Returns 403

  • Resolved Ian Pegg

    (@ianpegg)


    2 years, 7 months ago

    Hello,

    Report number: NZUODOZZ

    I’ve been using your plugin for many years and so am quite familiar with it. However, I am having a problem I’ve never encountered before with one of my client sites.

    The site in question uses The Events Calendar by Modern Tribe (I have tested for plugin conflicts – please see below). When on the linked page (the URL provided as the one I need help with), on the initial page view it is possible without any problem to navigate to the previous or next page of results using the pagination navigation at the bottom of the page.

    However, if you attempt to do the same thing after clicking ‘previous’ or ‘next’ (i.e. after the XHR request has returned data, which has in turn been injected into the page), the XHR request that fetches the next result set will fail and return a 403.

    This problem is always consistent – the links work fine after the initial page load but never after paging through the feed. It doesn’t matter whether you try to move forward or backwards through the results. The issue also persists when I am logged in as an admin (and my user role is excluded from all caching and optimisation).

    After a bit of investigation, I noticed that in the request data for the responses that return a 403, the nonce sent in the XHR has a curly brace and a slash at the end, like so: “_wpnonce: 8c827720d6{\”, however in the requests that work on the initial page load, the nonce is purely alphanumeric like so: “_wpnonce: 29d1a263eb”. It looks like the HTML returned via the initial XHR is corrupt in some way, which leads to a corrupted nonce being sent in subsequent requests.

    I haven’t been able to reproduce this issue on my development server (which is an exact file/db replica of the live site). The only plugin that is not running on my development server is the LiteSpeed cache plugin, which suggests that it is this plugin that is causing the issue.

    With the plugin enabled, I have also tried the following settings:

    • Page caching activated, but all pages starting with /events/ are excluded, as are admin users
    • JS minification / concatenation deactivated, so original JS files are being served whether the user is logged in/out
    • Serve stale switched off
    • Caching for REST deactivated
    • _wpnonce added to ESI excludes (which itself is turned on)

    I have already spoken to my web host, who have confirmed that there are no firewall rules at their end that could be affecting the XHR requests. I have also tested whilst bypassing Cloudflare to eliminate any interference from their WAF rulesets.

    Please could you advise on the above?

    The page I need help with: [log in to see the link]

Viewing 8 replies - 1 through 8 (of 8 total)
  • Plugin Support qtwrk

    (@qtwrk)

    https://theeventscalendar.com/products/wordpress-events-calendar/

    is this the plugin that create that “next” “previous” ?

    Thread Starter Ian Pegg

    (@ianpegg)

    Hello @qtwrk – yes that’s right. This is not standard WP pagination.

    Plugin Support qtwrk

    (@qtwrk)

    please try add this into ESI nonce list

    tribe-*

    while keep all JS options OFF first , then purge all , see how it goes

    Thread Starter Ian Pegg

    (@ianpegg)

    Hello @qtwrk

    Thanks for your response. I just tried those steps but sadly no luck.

    After the first click, I’m still getting corrupted values for _wpnonce that look like this rather than like this.

    Any other thoughts?

    Plugin Support qtwrk

    (@qtwrk)

    does that happen before or after you add the tribe-* one ?

    it gives 403 immediately on second refresh ?

    Thread Starter Ian Pegg

    (@ianpegg)

    It exhibits the same behaviour both before and after adding the new nonce.

    Yes, immediate 403 but not after refreshing the whole page – only after the first set of feed items have been injected into the DOM after the XHR. A full page reload would work just fine.

    Plugin Support qtwrk

    (@qtwrk)

    I wonder where did that {\ come from though …

    please create a ticket by mail to support at litespeedtech.com with reference link to this topic , we will investigate further.

    Thread Starter Ian Pegg

    (@ianpegg)

    Hi @qtwrk, thanks for your help so far. I’ve just raised a ticket (#316201). If you could let me know what email address to use then I can create an admin login for you.

    Cheers!

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘XHR WP-JSON Request Returns 403’ is closed to new replies.