Bug Scrub Schedule for 5.6

With 5.6 officially kicked off, time to schedule the 5.6 sessions. These ticketticket Created for both bug reports and feature development on the bug tracker. scrubs will happen each week until the final release.

Past Scrubs:

Upcoming Scrubs:

Check this schedule often, as it will change to reflect the latest information.

What about recurring component scrubs and triagetriage The act of evaluating and sorting bug reports, in order to decide priority, severity, and other factors. sessions?

The above 5.6 scheduled bugbug A bug is an error or unexpected result. Performance improvements, code optimization, and are considered enhancements, not defects. After feature freeze, only bugs are dealt with, with regressions (adverse changes from the previous version) being the highest priority. scrubs are separate and in addition.

For your reference, here are some of the recurring sessions:

  • Design Triage: Every Monday 16:30 UTC at #design
  • GutenbergGutenberg The Gutenberg project is the new Editor Interface for WordPress. The editor improves the process and experience of creating new content, making writing rich content much simpler. It uses ‘blocks’ to add richness rather than shortcodes, custom HTML etc. https://wordpress.org/gutenberg/ Design Triage: Every Tuesday 16:00 UTC at #design
  • AccessibilityAccessibility Accessibility (commonly shortened to a11y) refers to the design of products, devices, services, or environments for people with disabilities. The concept of accessible design ensures both “direct access” (i.e. unassisted) and “indirect access” meaning compatibility with a person’s assistive technology (for example, computer screen readers). (https://en.wikipedia.org/wiki/Accessibility) Scrub: Every Friday 14:00 UTC at #accessibility
  • APAC-friendly Bug Scrub: Every Tuesday at 05:00 UTC at #core will continue during the cycle, alternating focus between coreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress. and editor.

Want to lead a bug scrub?

Did you know that anyone can lead a bug scrub at anytime? Yes, you can!

How? PingPing The act of sending a very small amount of data to an end point. Ping is used in computer science to illicit a response from a target server to test it’s connection. Ping is also a term used by Slack users to @ someone or send them a direct message (DM). Users might say something along the lines of “Ping me when the meeting starts.” me (@hellofromtonya) on slackSlack Slack is a Collaborative Group Chat Platform https://slack.com/. The WordPress community has its own Slack Channel at https://make.wordpress.org/chat/. and let me know the day and time you’re considering as well as the report or tickets you want to scrub.

Planning one that’s 5.6-focused? Awesome! We’ll add it to the schedule here along with your name. You’ll get well deserved props in the weekly Dev Chat, as well as in the #props Slack channel!

Where can you find tickets to scrub? All open tickets for 5.6, in order of priority, can be found here. Tickets that haven’t seen any love in a while are in particular need. Those can be found in this query.

Need a refresher on bug scrubs? Checkout Leading Bug Scrubs in the core handbook.

Questions?

Have a question, concern, or suggestion? Want to lead a bug scrub? Please leave a comment or reach out directly to me (@hellofromtonya) on slack.

#5-6, #bug-scrub

Updating jQuery version shipped with WordPress

This has been a long time coming; the TracTrac An open source project by Edgewall Software that serves as a bug tracker and project management tool for WordPress. ticketticket Created for both bug reports and feature development on the bug tracker. #37110 is already few years old.

Following the recommendations of the jQuery team, the updating has to happen in stages:

  1. Remove jQuery Migrate 1.x. This is planned for WordPress 5.5.
  2. Update to the latest version of jQuery and add the latest jQuery Migrate. This is tentatively planned for WordPress 5.6 depending on test results. Updating to the latest jQuery UIUI User interface, version 1.12.1, is also planned for 5.6.
  3. Remove jQuery Migrate. This is tentatively planned for WordPress 5.7 or later, depending on testing.

As planned, a Test jQuery Updates pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party was released to make it easy to test different versions of jQuery, jQuery Migrate, and jQuery UI. Please install it and thoroughly test if everything works as expected, especially on the front-end, or at the settings pages of other WordPress plugins.

How to help with testing

The plugin has a settings screen found under the Plugins menu in WordPress adminadmin (and super admin). Different versions of the jQuery libraries can be selected there for testing. Please test by:

  1. Disabling jQuery Migrate, and leaving jQuery and jQuery UI at the default versions (for WordPress 5.5).
  2. Selecting jQuery 3.5.1, enabling jQuery Migrate, and selecting jQuery UI 1.12.1 (for WordPress 5.6).
Test jQuery Updates settings screen, under the Plugins menu.

Updating your code

To get ready for this jQuery update, it’s important that you update your code. The migrate plugin will assist you in identifying issues. Additionally, the jQuery Core 3.0 Upgrade Guide and 3.5 Upgrade Guide provide detailed information about what has changed. As the browser supported list is also updated, this is also a great time for you to revisit what versions of browsers are supported by your themes and plugins.

See a bugbug A bug is an error or unexpected result. Performance improvements, code optimization, and are considered enhancements, not defects. After feature freeze, only bugs are dealt with, with regressions (adverse changes from the previous version) being the highest priority.?

If you find a bug in Test jQuery Updates, or if you run into a jQuery related issue, please report it at https://github.com/WordPress/wp-jquery-update-test. If the issue is with a default script in WordPress, please open a new ticket on Trac.

Thanks @andreamiddleton, @annezazu, and @jorbin for helping with this post.

#5-5, #jquery

#dev-notes

CSS Chat Agenda: 24 September 2020

Note: One hour before the meeting this week, @kburgoine will lead the coreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress. CSSCSS Cascading Style Sheets. triagetriage The act of evaluating and sorting bug reports, in order to decide priority, severity, and other factors.! Triages are every other week one hour before the weekly chat, at 4pm EDT.

This is the agenda for the upcoming CSS meeting scheduled for Thursday, September 24, at 5:00 PM EDT.

This meeting will be held in the #core-css channel in the Making WordPress SlackSlack Slack is a Collaborative Group Chat Platform https://slack.com/. The WordPress community has its own Slack Channel at https://make.wordpress.org/chat/..

If there’s any topic you’d like to discuss, please leave a comment below!

  • Housekeeping
    • Need a volunteer to help write up meeting summaries
  • Updates
    • CSS Audit (#49582) – Report generation
    • Color Scheming (#49999) – Feedback from design on color list
  • Open floor + CSS link share

#agenda, #core-css

Dev Chat Summary – 23 August 2020

Greetings! Here’s what happened in CoreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress. Wednesday, September 23, 2020, 07:00 AM GMT+2 and Wednesday, September 23, 2020, 10:00 PM GMT+2 on the #agenda.

0500 core devchat

@thewebprincess led the discussion in the meeting was a bit slow the team decided to run a bugbug A bug is an error or unexpected result. Performance improvements, code optimization, and are considered enhancements, not defects. After feature freeze, only bugs are dealt with, with regressions (adverse changes from the previous version) being the highest priority. scrub. Find the full Slack archive here.

2000 core devchat

@laurora facilitated the chat and @thelmachido took notes. Find the Full Slack archive here.

Announcements

To see an overview of what’s happening keep an eye on make/updates, we’ve got quarterly updates from the team coming soon.

Highlighted blogblog (versus network, site) posts

Dual licensing Gutenberg under GPL v2.0 and MPL v2.0
We need to gather feedback on the proposal to dual-license GutenbergGutenberg The Gutenberg project is the new Editor Interface for WordPress. The editor improves the process and experience of creating new content, making writing rich content much simpler. It uses ‘blocks’ to add richness rather than shortcodes, custom HTML etc. https://wordpress.org/gutenberg/ under GNU General Public License, v2 (GPLGPL GNU General Public License. Also see copyright license. v2) and the Mozilla Public License v2.0 (MPL v2.0). Please share your perspective on the proposal from Maxime by adding comments to the post.

Introducing the next WordPress default theme – Twenty Twenty One Weekly meetings on the theme will start on Monday 28 September at 15:00 in #core-themes. @chanthaboune clarified that the team will be shipping one theme, based on Seedlet, bundled with the release and they will be exploring a second FSE theme, after the first is stable, that is not bundled with the release. Besides what was discussed in 5.6 planning post, FSE will now be done in the Gutenberg PluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party as a betaBeta A pre-release of software that is given out to a large group of users to trial under real conditions. Beta versions have gone through alpha testing in-house and are generally fairly close in look, feel and function to the final product; however, design changes often occur as part of the process. feature. See what the team said in the full slack discussion and another on-going discussion is going to be opened on make/core.

Proposal on REST API Authentication / Application Passwords
George Stephanis has put together a proposal for this, the hoped timeline for this proposal is version 5.6 but the team is not yet certain. There have been attempts to get other authentication mechanisms to a considerable state but none have been proposed for core as yet. See what the team contributed to the discussion in slackSlack Slack is a Collaborative Group Chat Platform https://slack.com/. The WordPress community has its own Slack Channel at https://make.wordpress.org/chat/.. The discussion from here on out will be on #core-passwords even though they had temporarily been in #core-restapi. Feel free to join the discussion there.

How gather updates from component maintainers & focus leads
Go through the post and share your opinion on the best way to gather updates as we are getting closer to release. Please share your perspective by commenting on the post by Wednesday 30 September.

Facebook embeds being deprecated
How will cached embed look after the deprecation date?. There is need to test and collect data on how the JSJS JavaScript, a web scripting language typically executed in the browser. Often used for advanced user interfaces and behaviors. scripts included in the embed will look after deprecation. How will the marketing crew share this information and more broadly with users as a whole?. These are some of the discussions that will be wrapped up in the comment section of the post.

Component maintainers

Build/Test Tools
Continued work on PHPPHP The web scripting language in which WordPress is primarily architected. WordPress requires PHP 5.6.20 8 support. With quite a few fixes to unit tests and some fixes to core, this brings the tests from 87 errors and 331 failures on PHP 8 a couple of weeks ago (when the work has just started) to only 5 errors and 17 failures now (still to be addressed). Ticketticket Created for both bug reports and feature development on the bug tracker. #50913 includes most of the progress on this, some work was also done in other related tickets here.

For I18Ni18n Internationalization, or the act of writing and preparing code to be fully translatable into other languages. Also see localization. Often written with a lowercase i so it is not confused with a lowercase L or the numeral 1. Often an acquired skill. component one change was committed this week. The Default Language networknetwork (versus site, blog) option in Multisitemultisite Used to describe a WordPress installation with a network of multiple blogs, grouped by sites. This installation type has shared users tables, and creates separate database tables for each blog (wp_posts becomes wp_0_posts). See also network, blog, site now has a language icon next to it. View ticket #51359.

Menus & Widgets have a couple of tickets that are waiting for committers to have a look at them.

Upgrades & Install the first patchpatch A special text file that describes changes to code, by identifying the files and lines which are added, removed, and altered. It may also be referred to as a diff. A patch can be applied to a codebase for testing. for Major Core auto-updates ticket has been added, also there are a couple of tickets that are waiting for committers to have a look at them.

Additional eyes needed on testing and review for backlog on the Privacy component.

No updates of note this week from Date/Time, Permalinks or Site Health.

Open Floor

@ramiy put together a Post & Infographic on WordPress release facts & stats.

@enricocarraro is working towards making WordPress Strict CSP-compatible. Inline scripts refactoring #39941 and Inline event handlers and JavaScriptJavaScript JavaScript or JS is an object-oriented computer programming language commonly used to create interactive effects within web browsers. WordPress makes extensive use of JS for a better user experience. While PHP is executed on the server, JS executes within a user’s browser. https://www.javascript.com/. URIs refactoring #32067. If anyone could review his PR that would be greatly appreciated.

Next Dev Chat meetings

The next meetings will take place on Wednesday, September 30, 2020, 07:00 AM GMT+2 and Wednesday, September 30, 2020, 20:00 PM GMT+2 in the #core Slack channel. Please feel free to drop in with any updates or questions. If you have items to discuss but cannot make the meeting, please leave a comment on this post so that we can take them into account. 

#5-5-1, #5-5-2, #5-6, #dev-chat, #summary

CSS Chat Summary: 17 September 2020

Housekeeping

Reminder that next week will be the coreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress. CSSCSS Cascading Style Sheets. bugbug A bug is an error or unexpected result. Performance improvements, code optimization, and are considered enhancements, not defects. After feature freeze, only bugs are dealt with, with regressions (adverse changes from the previous version) being the highest priority. scrub, this time led by @kburgoine and starting at 4pm EDT on Sept. 24 (one hour before the weekly chat). The bug scrubs (a.k.a. triages) are a great way for new contributors to get involved!

CSS Audit (#49582)

I’ve been working on a branchbranch A directory in Subversion. WordPress uses branches to store the latest development code for each major release (3.9, 4.0, etc.). Branches are then updated with code for any minor releases of that branch. Sometimes, a major version of WordPress and its minor versions are collectively referred to as a "branch", such as "the 4.0 branch". that displays the audit data in GithubGitHub GitHub is a website that offers online implementation of git repositories that can can easily be shared, copied and modified by other developers. Public repositories are free to host, private repositories require a paid subscription. GitHub introduced the concept of the ‘pull request’ where code changes done in branches by contributors can be reviewed and discussed before being merged be the repository owner. https://github.com/ pages. The initial version can be seen here and the work in progress pull request is here. The next steps for the PR are getting documentation in place about generating reports, and styling the template.

More important, as @ibdz noticed – it looks like the audit for properties and values is not running, so we definitely need to get the data for about font-sizes and pixel usage into the report.

Color Scheming (#49999)

@ryelle drafted a post to for Make design about the color replacements work so far, specifically to ask what color list we should use, and to start gather folks who would be interested in testing the replacements once a list has been decided on.

Open floor + CSS link share

I shared a link about the ::marker pseudo-element that allows us to style list bullets with CSS. It does not have full browser support yet, but is definitely a feature that can be used with @supports feature queries.

Thanks to @CodeXplorer and @ibdz for being enthusiastic first time attendees!

#core-css, #summary

Introducing Twenty Twenty-One

Well friends, it’s time for what I’m sure you’ve all been waiting for: an announcement about the next WordPress default theme! The rumors are true; WordPress 5.6 will launch with a brand new default theme: Twenty Twenty-One. 

The default theme team includes:

  • Default Theme Design Lead: Mel Choyce-Dwan (@melchoyce).
  • Default Theme Development Lead: Carolina Nymark (@poena).  
  • Default Theme Wrangler: Jessica Lyschik (@luminuu).
  • …and you, our fabulous volunteers!

Background

Twenty Twenty-One is designed to be a blank canvas for the blockBlock Block is the abstract term used to describe units of markup that, composed together, form the content or layout of a webpage using the WordPress editor. The idea combines concepts of what in the past may have achieved with shortcodes, custom HTML, and embed discovery into a single consistent API and user experience. editor. After trying some designs heavily inspired by print resources, @kjellr remarked to me, “why not try something natively digital?” I added even more ideas to my increasingly unwieldy pinterest board and gave it a shot. The concept ended up being the most natural, usable design of the bunch. It was simple and un-opinionated, yet still refined. It felt like a fresh canvas, waiting to be painted.

Twenty Twenty-One will use a modified version of the Seedlet theme as its base. This provides us with a thorough system of nested CSSCSS Cascading Style Sheets. variables to make child theming easier, and to help integrate with the global styles functionality that’s under development for full-site editing.

Once the theme is stable, after BetaBeta A pre-release of software that is given out to a large group of users to trial under real conditions. Beta versions have gone through alpha testing in-house and are generally fairly close in look, feel and function to the final product; however, design changes often occur as part of the process. 1, we’ll start exploring Full Site Editing support.


Design Decisions

By default, the theme uses a native system font stack. I made this choice for a couple reasons:

  • No extra load time. Let’s keep this theme simple and fast.
  • This particular stack is pretty typographically “neutral” — none of the fonts are super opinionated, so the theme can be used broadly across different types of sites.
  • Using just the one font stack, without loading additional font files, also makes it easier for folks to customize or create a child themeChild theme A Child Theme is a customized theme based upon a Parent Theme. It’s considered best practice to create a child theme if you want to modify the CSS of your theme. https://developer.wordpress.org/themes/advanced-topics/child-themes/. for Twenty Twenty-One. We want this theme to be a teaching tool, and an outlet for your creativity.

The theme also uses a limited color palette: a pastel green background color, and two shades of dark grey for text. We’ll be bundling the theme with some additional color palettes, including both a white and a black color scheme. Why pastel green? Pastels and muted colors are pretty in right now (seriously I could keep going).

(Who doesn’t love a little pastel cottagecore during these troubling times?)

All this is to say: the design? It’s pretty simple. That’s where patterns come in.

GutenbergGutenberg The Gutenberg project is the new Editor Interface for WordPress. The editor improves the process and experience of creating new content, making writing rich content much simpler. It uses ‘blocks’ to add richness rather than shortcodes, custom HTML etc. https://wordpress.org/gutenberg/ introduced support for patterns in WordPress 5.5. This is the perfect time to show them off. Twenty Twenty-One will come packaged with a bunch of unique patterns designed explicitly for the theme. The theme’s overall design is simple, so you can make it your own, but the patterns will be opinionated. There are a couple already designed, and we’ll be relying on our talented community designers for more ideas. Here’s what we’re thinking about so far:

Want to contribute a block pattern? We have an issue template for that.

Lastly, we’d love to make the theme meet relevant guidelines from WCAG 2.1 level AAA. We loved the idea when +make.wordpress.org/accessibility/ brought it up, and would appreciate any and all guidance from our community a11yAccessibility Accessibility (commonly shortened to a11y) refers to the design of products, devices, services, or environments for people with disabilities. The concept of accessible design ensures both “direct access” (i.e. unassisted) and “indirect access” meaning compatibility with a person’s assistive technology (for example, computer screen readers). (https://en.wikipedia.org/wiki/Accessibility) experts to help make this possible.

You can find full page mockups of Twenty Twenty-One in the Figma file.


Timeline

Per the development cycle information, the upcoming important dates are:

  • WP 5.6 Beta 1 – October 20
    • Last chance for feature projects and new enhancements
    • Theme should be committed to trunktrunk A directory in Subversion containing the latest development code in preparation for the next major release cycle. If you are running "trunk", then you are on the latest revision.
    • Start exploring FSE support in a second, block-based theme
  • WP 5.6 Beta 4 – November 10
    • Soft string freeze
    • Starter content should be committed
  • WP 5.6 RC 1 – November 17
    • Hard string freeze
    • Starter content needs to be finalized
  • WP 5.6 Release – December 8

Get Involved

If you are interested in contributing to Twenty Twenty-One, make sure you are following this blogblog (versus network, site). During the design and development process, there will be weekly meetings starting Monday, September 28 at 15:00 UTC in #core-themes. We’ll also be holding weekly triagetriage The act of evaluating and sorting bug reports, in order to decide priority, severity, and other factors. sessions at starting this Friday at 16:00 UTC.

Theme development will happen on GitHubGitHub GitHub is a website that offers online implementation of git repositories that can can easily be shared, copied and modified by other developers. Public repositories are free to host, private repositories require a paid subscription. GitHub introduced the concept of the ‘pull request’ where code changes done in branches by contributors can be reviewed and discussed before being merged be the repository owner. https://github.com/ and in the interest of time, an in-progress version of the theme code has been uploaded here: https://github.com/wordpress/twentytwentyone.

Once the theme is stable, it will be merged into coreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress. and the GitHub repo will be deprecated.


Learn More

If you’re interested in learning more about default themes, you can read the following posts:

#5-6, #bundled-theme, #core-themes, #twenty-twenty-one

Proposal: REST API Authentication / Application Passwords

Problem statement: no way to authenticate third-party access to REST APIREST API The REST API is an acronym for the RESTful Application Program Interface (API) that uses HTTP requests to GET, PUT, POST and DELETE data. It is how the front end of an application (think “phone app” or “website”) can communicate with the data store (think “database” or “file system”) https://developer.wordpress.org/rest-api/.

Ever since the REST API infrastructure merged via #33982 and shipped in WordPress 4.4 in December 2015, it’s been gaining momentum and been used in more and more places—throughout WordPress’s adminadmin (and super admin), via plugins and themes, and enabled deep, robust interactions powering new functionality such as the GutenbergGutenberg The Gutenberg project is the new Editor Interface for WordPress. The editor improves the process and experience of creating new content, making writing rich content much simpler. It uses ‘blocks’ to add richness rather than shortcodes, custom HTML etc. https://wordpress.org/gutenberg/ blockBlock Block is the abstract term used to describe units of markup that, composed together, form the content or layout of a webpage using the WordPress editor. The idea combines concepts of what in the past may have achieved with shortcodes, custom HTML, and embed discovery into a single consistent API and user experience. editor.

However, the functionality has been limited in that the only way to make authenticated requests to the APIAPI An API or Application Programming Interface is a software intermediary that allows programs to interact with each other and share data in limited, clearly defined ways. in coreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress. has been through Cookie & Nonce-based authentication—there is no good way for third-party applications to communicate with WordPress in an authenticated fashion, apart from the legacy XML-RPC API.

This has resulted in frustration for our Mobile teams especially as they’re working to integrate Gutenberg support, which relies on the REST API. After some time having to store username/password to spoof a cookie and interactive session to scrape a nonce from the wp-admin DOM, and then to use an endpoint to get it instead via [46253]. All of which is a tremendously messy and awkward usage that completely falls apart if someone uses a variant of a two-factor authentication system.

Spoofing an interactive session just to make API requests is bad form and needlessly complex.

We’d like to propose integrating Application Passwords into Core.

There have been many systems considered, including everything from multiple incarnations of OAuth, JWT, and even some solutions that are combinations of the two. Some called for a centralized app repository, some had open registration, but all were complex and none of them could build sufficient traction to come to fruition.

Broad conceptual overview of varying methods (See: WP-API/authentication#15)

A simpler alternative to Application Passwords is pure Basic Authentication and detailed in #42790. However, Application Passwords is more comprehensive, and a far superior of a choice for the reasons that follow.

Benefit: Ease of API Requests

Given a login and an application password, making an API request is as simple as

curl --user "USERNAME:APPLICATION_PASSWORD" -X POST -d "title=New Title" https://my.wordpress.site/wp-json/wp/v2/posts/POST_ID

It uses the standard HTTPHTTP HTTP is an acronym for Hyper Text Transfer Protocol. HTTP is the underlying protocol used by the World Wide Web and this protocol defines how messages are formatted and transmitted, and what actions Web servers and browsers should take in response to various commands. authorization headers. Everything supports this trivially.

Benefit: Ease of Revoking Credentials

Application Passwords makes it easy to revoke any individual application password, or wholesale void all of a user’s application passwords. Application Passwords also lists the date a password was last used and the IP it was used from to help track down inactive credentials or bad actors using them from unexpected locations.

Benefit: Ease of Requesting API Credentials

While it is possible for a user to go to their user profile page and generate a new application password, for example if they are creating a command line tool for themselves, the ideal workflow looks something like this:

To request a password for your application, redirect users to:

https://example.com/wp-admin/authorize-application.php

The URLURL A specific web address of a website or web page on the Internet, such as a website’s URL www.wordpress.org is included in the REST API index to facilitate automated discovery.

{
  "name": "Trunk",
  "authentication": {
    "application-passwords": {
      "endpoints": {
        "authorization": "http://example.com/wp-admin/authorize-application.php"
      }
    }
  }
}

and use the following GET request parameters to specify:

  • app_name (required) – The human readable identifier for your app. This will be the name of the generated application password, so structure it like … “WordPress Mobile App on iPhone 12” for uniqueness between multiple versions. If omitted, the user will be required to provide an application name.
  • success_url (recommended) – The URL that you’d like the user to be sent to if they approve the connection. Two GET variables will be appended when they are passed back (user_login and password); these credentials can then be used for API calls. If the success_url variable is omitted, a password will be generated and displayed to the user, to manually enter into your application.
  • reject_url (optional) – If included, the user will get sent there if they reject the connection. If omitted, the user will be sent to the success_url, with ?success=false appended to the end. If the success_url is omitted, the user will be sent to their WordPress dashboard.

If the user is logged out, they’ll be redirected to the WordPress Login page. After logging in, they’ll be immediately redirected back to the Authorize Application screen.

In discussions with @timothyblynjacobs we’re unsure about whether to add a state parameter (which is just stored and passed back to the application to prevent CSRF attacks). Realistically apps could just include it on their own in the success_url or a site_url parameter (which could remind the application what site the returned credentials are for). Requiring apps to pass a state parameter could encourage best practices, but we wouldn’t be able to enforce that they validate its contents.

It’s also worth noting that the success_url and reject_url are both explicitly designed that apps can pass in custom protocols for the return URLs. That is, they could set them to be wordpress://authentication so that the user’s phone automatically redirects them back from their web browser, directly into the application with the credentials appended to the query. You may have seen this previously with other applications where you “Login with Facebook” in your browser and then Facebook sends you directly back into your app. Or with how your web browser can open Zoom directly on your laptop, pre-populating the room ID and password.

Benefit: Login Security

Unlike pure basic auth that requires entering in credentials directly into the application, Application Passwords allows for an interactive authentication flow. This means that login security features like Two Factor or reCAPTCHA can continue to protect user accounts.

One of the reasons XML-RPC is so often recommended to be disabled is that it allows brute forcing user’s passwords since those additional security protections can’t be implemented. A risk of implementing pure basic auth is that sites will be forced to disable it because it can’t be interactive.

Proposed solution: merge Application Passwords to core

While there is a standalone plugin for Application Passwords that’s developed in a GitHub repo, PR#540 to WordPress-develop is the official work we’re proposing to be merged into core. The pull request is based off of the original feature pluginFeature Plugin A plugin that was created with the intention of eventually being proposed for inclusion in WordPress Core. See Features as Plugins.’s codebase. We welcome comments on this proposal post, contributions to Application Passwords itself, and even more so review and feedback on the existing merge proposal pull request.

Props to @timothyblynjacobs for help on the content of this post, @jeffpaul for help on the structure of this post, and the many many people who have contributed to the analysis behind this proposal and to Application Passwords.

#application-passwords, #authentication, #rest-api, #two-factor

Discussion: How best to gather Component/Focus Updates as we head towards release

The Challenge

One interesting challenge in the leadership and coordination of the release process is getting a clear and comprehensive understanding of the landscape of the release. The squad have some mechanisms in place to help reveal that landscape, devchat being one of the main cogs in that mechanism. In past release cycles, there have been other initiatives to try and make that landscape ‘higher resolution.’

In order to feel confident that the release is moving forward according to plan, it’s important for the release leads and wider release cohort to understand the progress with components and focus areas of the 5.6 release whether or not there are any areas that are under supported and need assistance, and what, if anything is going to threaten the timeline and/or scope of that release.

In order to do this, the squad relies on regular and timely updates from component maintainers, focus leads, and feature pluginFeature Plugin A plugin that was created with the intention of eventually being proposed for inclusion in WordPress Core. See Features as Plugins. leads as the cohort moves towards the release date. So far, we have resorted to pinging @maintainers during devchat, and while that does occasionally elicit a response, it can be intrusive, especially if that component is not currently active, or if there’s no significant development happening for that component in relation to the release. There is also a chance that important information is missed if someone doesn’t respond to the pingPing The act of sending a very small amount of data to an end point. Ping is used in computer science to illicit a response from a target server to test it’s connection. Ping is also a term used by Slack users to @ someone or send them a direct message (DM). Users might say something along the lines of “Ping me when the meeting starts.”

The coreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress. problem is, how do we make sure we receive important updates from  components and focus teams without creating an environment where the release squad is required to ping regularly and ask for updates? What kind of system can we implement that will work for the release squad and component maintainers?

Possible Solutions

Different release co-ordinators/leads have used different approaches such as pinging in devchat, or messaging SlackSlack Slack is a Collaborative Group Chat Platform https://slack.com/. The WordPress community has its own Slack Channel at https://make.wordpress.org/chat/. groups to ask for updates. There have been other options proposed at various times, like async reporting on weekly agenda posts, or a dedicated ‘check in post’ such as is used in the community team, or even a dedicated slack channel for component maintainers.

Each option has its pros and cons. So this post has been created to actually ask the component maintainers and focus squads what makes the most sense to them?

Share your thoughts!

This post invites discussion on how to explore ways that best encourage proactive sharing of progress/blockers so that the release team and other interested cohort members can be empowered to resolve issues, and be confident in the progress towards the goal. 

Questions:

  • If you are a component maintainer, what kind of process would you like to follow that would enable you to share regular updates?
  • If you are a part of the release cohort, how would you like to receive that information? 
  • Do you have any other thoughts or suggestions on how we can improve the flow information generally, without overwhelming a channel full of contributors, or even individual contributors?

Please share your thoughts in the comments below by Wednesday September 30th 05:00 UTC.

Props to @angelasjin, @cbringmann, and @audrasjb for editing support.

Facebook and Instagram embeds to be deprecated October 24th

9/24/2020: Updated the post to reflect that the oembed_cache post type is only used for caching oEmbeds used within widgetWidget A WordPress Widget is a small block that performs a specific function. You can add these widgets in sidebars also known as widget-ready areas on your web page. WordPress widgets were originally created to provide a simple and easy-to-use way of giving design and structure control of the WordPress theme to the user. content. Also added a reference to the CoreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress. TracTrac An open source project by Edgewall Software that serves as a bug tracker and project management tool for WordPress. ticketticket Created for both bug reports and feature development on the bug tracker. focused on removing the oEmbed support. @desrosj

Facebook recently announced that all oEmbed requests for Facebook and Instagram content will be deprecated on October 24th, 2020. These APIAPI An API or Application Programming Interface is a software intermediary that allows programs to interact with each other and share data in limited, clearly defined ways. requests are at the backbone of both GutenbergGutenberg The Gutenberg project is the new Editor Interface for WordPress. The editor improves the process and experience of creating new content, making writing rich content much simpler. It uses ‘blocks’ to add richness rather than shortcodes, custom HTML etc. https://wordpress.org/gutenberg/ and the Classic Editor to embed videos, pictures, updates, and more from the popular social platforms.

Changes to tokenless access for User Picture and FB/IG OEmbed endpoints: By October 24, 2020, developers must leverage a user, app, or client token when querying Graph API for user profile pictures via UID, FB OEmbeds and IG OEmbeds. Developers should provide a user or app token when querying for profile pictures via a UID or ASID, though client tokens are supported as well. Please visit our changelog for User PictureFacebook OEmbed and Instagram OEmbed for details on how to start calling these Graph API endpoints today.

Facebook for Developers

In response to this change, WordPress will be removing Facebook and Instagram’s oEmbed endpoints from WordPress Core code. This change will likely be released in WordPress 5.6. But, if a 5.x minor releaseMinor Release A set of releases or versions having the same minor version number may be collectively referred to as .x , for example version 5.2.x to refer to versions 5.2, 5.2.1, 5.2.3, and all other versions in the 5.2 (five dot two) branch of that software. Minor Releases often make improvements to existing features and functionality. occurs after October 24th and before 5.6 (currently scheduled to be released on December 8, 2020), it could be included in that release. Gutenberg 9.0 recently removed support.

If you are a WordPress user or developer that is using Facebook or Instagram embeds, there are some community plugins that aim to bring support. For continued support, sites or applications will need to register developer accounts with Facebook, and add the relevant API keys to all requests.

Because oEmbed responses are cached in the database using either post metaMeta Meta is a term that refers to the inside workings of a group. For us, this is the team that works on internal WordPress sites like WordCamp Central and Make WordPress. or the hidden oembed_cache post type (currently used only in widgets), any embed added prior to the October 24th deadline will be preserved past the deprecation date. These posts are not purged by default in WordPress Core, so the contents of the embed will persist unless manually deleted.

Any new embeds added after the October 24th deadline will return the URLURL A specific web address of a website or web page on the Internet, such as a website’s URL www.wordpress.org as a link if the Graph API request is not performed using a token.

To follow along with the changes to address this in WordPress Core, check out the ticket on Trac (#50861).

Props @francina, @desrosj, @clorith for proofread and review.

Dev Chat Agenda: September 23rd 2020

Here is the #agenda for this week’s meetings happening at:
Wednesday, 23rd September 2020, 0500UTC and Wednesday, 23rd September 2020, 2000UTC .

Please share any items you’d like to include in the comments below.

  • Announcements
  • Highlighted blogblog (versus network, site) posts
  1. Proposal: Dual licensing Gutenberg under GPL v2.0 and MPL v2.0 Action Required: Please review the post and add your comments to the discussion.
  2. ETA by Francesca – Introducing Twenty Twenty One Action Required: Please review the post, leave feedback and get involved
  3. ETA by Francesca –Proposal: REST API Authentication / Application Passwords Action Required: Please review the post and add your comments to the discussion.
  4. ETA by Francesca –Discussion: How best to gather Component/Focus Updates as we head towards release Action Required: Please review the post and add your comments to the discussion
  5. ETA by Francesca –Facebook and Instagram embeds to be deprecated October 24th
  • Updates from component maintainers and/or focus leads (also see item 4 in the above list)
  • Open Floor

    If you have something else you want to include to the agenda, please mention it in the comments below.

The #dev-chat meetings will be held on Wednesday, 23rd September 2020, 05:00UTC and Wednesday, 23rd September 2020, 2000UTC. These meetings are held in the #core channel. To join the meeting, you’ll need an account on the Making WordPress Slack .

#5-6, #agenda

Editor Chat Agenda 23 September, 2020

Facilitator and notetaker @itsjusteileen.

This is the agenda for the weekly editor chat scheduled for Wednesday, September 23, 2020, 10:00 AM EDT.

This meeting is held in the #core-editor channel in the Making WordPress SlackSlack Slack is a Collaborative Group Chat Platform https://slack.com/. The WordPress community has its own Slack Channel at https://make.wordpress.org/chat/..

  • Gutenberg 9.0
  • 5.6 Project board
  • Monthly Plan for September 2020 and key project updates. With focus on issues, what is being done and help that is needed.
    • Global Styles.
    • Navigation screen and Navigation blockBlock Block is the abstract term used to describe units of markup that, composed together, form the content or layout of a webpage using the WordPress editor. The idea combines concepts of what in the past may have achieved with shortcodes, custom HTML, and embed discovery into a single consistent API and user experience..
    • Widgets screen.
    • CustomizerCustomizer Tool built into WordPress core that hooks into most modern themes. You can use it to preview and modify many of your site’s appearance settings. screen.
    • Full Site Editing.
  • Task Coordination
  • Open Floor

Even if you can’t make the meeting, you’re encouraged to share anything relevant for the discussion:

  • If you have anything to share for the Task Coordination section, please leave it as a comment on this post.
  • If you have anything to propose for the agenda or other specific items related to those listed above, please leave a comment below.

#core-editor, #core-editor-agenda

Proposal: Dual licensing Gutenberg under GPL v2.0 and MPL v2.0

This post is to gather feedback about a proposal to dual license GutenbergGutenberg The Gutenberg project is the new Editor Interface for WordPress. The editor improves the process and experience of creating new content, making writing rich content much simpler. It uses ‘blocks’ to add richness rather than shortcodes, custom HTML etc. https://wordpress.org/gutenberg/ under GNU General Public License, v2 (GPLGPL GNU General Public License. Also see copyright license. v2) and the Mozilla Public License v2.0 (MPL v2.0). Full context can be found on this issue on GitHub that was opened to gather feedback about the MPL v2.0 proposal. On that post, there are some positive comments from people who would like to use Gutenberg in their software, but who are currently limited by the GPL v2 license.

I’m posting this here to bring some visibility to this ticketticket Created for both bug reports and feature development on the bug tracker.. I’d also like to propose the following, if there is no blockerblocker A bug which is so severe that it blocks a release. found by dual licensing:

  1. List all contributors (this can be automated via the GitHub API).
  2. Create a GitHubGitHub GitHub is a website that offers online implementation of git repositories that can can easily be shared, copied and modified by other developers. Public repositories are free to host, private repositories require a paid subscription. GitHub introduced the concept of the ‘pull request’ where code changes done in branches by contributors can be reviewed and discussed before being merged be the repository owner. https://github.com/ ticket to explain the change, pingPing The act of sending a very small amount of data to an end point. Ping is used in computer science to illicit a response from a target server to test it’s connection. Ping is also a term used by Slack users to @ someone or send them a direct message (DM). Users might say something along the lines of “Ping me when the meeting starts.” all contributors and ask them to write a predefined comment to either “approve” or “reject” the dual licensing request. This was done in other big open sourceOpen Source Open Source denotes software for which the original source code is made freely available and may be redistributed and modified. Open Source **must be** delivered via a licensing model, see GPL. projects like rubinius (switched from BSD to MPL), mpv (switched from GPL to LGPL).
  3. Wait for contributors to reply.
  4. Contact contributors who do not reply in a timely manner to get their response.
  5. After all contributors respond, or when the target date is reached (e.g., one year in the future), remove or rewrite code from contributors who rejected the dual licensing and from contributors who didn’t reply.
  6. Switch the licensing scheme to GPL v2 + MPL v2.

The idea here is to keep some of the WordPress-specific modules under the GPL v2.0 only; some of them are not needed and not relevant for using Gutenberg in another software. Ideally, there would be a different way of bundling the project for being used in WordPress or in a non-GPL software.

Note that a similar license change has happened on Aztec-Android and Aztec-iOS.

Please comment on this post, or on the GitHub issue, if you have thoughts about this dual licensing idea or the ideas on how to make the change happen if this seems feasible.