Mixed http/https access to admin can cause infinite loop of nonce checks

[mboynes]

Description

Gutenberg can find itself in an infinite loop of REST requests due to an invalid nonce if a user uses their site over https but at some point happens to load up the login screen over http. This happened to me in a local environment where I don't force https traffic but have a cert available. I inadvertently navigated to the http address, realized my mistake and re-navigated to the https address, and when I created a post in Gutenberg it was unusable.

Step-by-step reproduction instructions

1. Sign into wp-admin successfully at https address, e.g. https://wp.test/wp-admin/.
2. Load up the http:// variant of wp-admin, e.g. http://wp.test/wp-admin/. You will get the login screen but don't sign in.
3. Load up wp-admin again at the https address, e.g. https://wp.test/wp-admin/
4. Open browser console and go to network tab
5. Navigate to create a new post in GB, e.g. https://wp.test/wp-admin/post-new.php
6. Observe an infinite loop of 403 requests in the network tab of the browser console due to invalid nonces.

Screenshots, screen recording, code snippet

to-infinity-and-beyond.mp4

Environment info

• WordPress 5.8.1 using Twenty Twenty-One theme, no plugins active
• Chrome 95.0.4638.54
• MacOS 11.6

Please confirm that you have searched existing issues in the repo.

Yes

Please confirm that you have tested with all plugins deactivated except Gutenberg.

Yes

[skorasaurus]

Thanks for reporting;

I'm not able to reproduce this; when I hit step 2 of http://testsite.test ; I am automatically redirected to https://wp.test/wp-admin/ and am already logged in. (In chrome, I use vvv which has self-signed SSL certs)

This may depend on your local environment; what are you using?

[mboynes]

Yes, this would be environment-dependent. The server would have to be configured to not automatically redirect http requests to https. Mine does not redirect http → https.

I just tested again in a new environment with a fresh installation of WordPress (5.9.1) and am still able to replicate using the instructions I wrote above.

[ryanboswell]

I think this problem is slightly broader than just http/https redirect issues, but anytime that a JSON API endpoint returns a 403 error, the request is retried until it gets a successful response. In most cases, that's probably unlikely and so it get stuck in an infinite loop.

I just encountered this because our instance forces WordPress into a read-only mode (we force read-only database credentials) for certain JSON API request paths that are publicly accessible as a precaution. In that mode, WordPress cannot perform cookie or nonce auth and returns a 403 when auth is even attempted (which the editor does automatically for JSON API requests). Specifically, after the WordPress 5.9 update the editor makes a call to the base JSON API route which in our case we force to be read-only and it triggers the endless issue.

It seems that the API fetch utils aren't fully aware of error states and in at least some cases end up in an infinite hole of retries if an error is returned (at least in the case of 403 errors, I haven't worked to prove other cases). In most cases that error is probably final and the result won't change from one second to the next and the API code should handle that accordingly.

[Mamaduka]

Related to #13509, #42400.