From ff5180e2a5f0451bc7daa930d73347b3e7495f00 Mon Sep 17 00:00:00 2001
From: "Dominik Schilling (ocean90)" <ocean90@git.wordpress.org>
Date: Sun, 18 Mar 2018 17:20:47 +0000
Subject: [PATCH] REST API JavaScript Client: Support an empty string for
 `nonce` to disable sending the X-WP-Nonce header.

Passing a `nonce` argument with an empty string to `wp.api.init()` now does no longer fall back to `wpApiSettings.nonce`. This makes it possible to stop sending nonce headers, for example to a read-only endpoint on another site in a multisite install.

Props adamsilverstein, FPCSJames, ocean90, swissspidy.
Fixes #42948, #43266.

git-svn-id: https://develop.svn.wordpress.org/trunk@42852 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-includes/js/wp-api.js | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/wp-includes/js/wp-api.js b/src/wp-includes/js/wp-api.js
index fc9750fa70..9ac12fe889 100644
--- a/src/wp-includes/js/wp-api.js
+++ b/src/wp-includes/js/wp-api.js
@@ -848,7 +848,7 @@
 					model.unset( 'slug' );
 				}
 
-				if ( _.isFunction( model.nonce ) && ! _.isUndefined( model.nonce() ) && ! _.isNull( model.nonce() ) ) {
+				if ( _.isFunction( model.nonce ) && ! _.isEmpty( model.nonce() ) ) {
 					beforeSend = options.beforeSend;
 
 					// @todo enable option for jsonp endpoints
@@ -992,7 +992,7 @@
 
 				options = options || {};
 
-				if ( _.isFunction( model.nonce ) && ! _.isUndefined( model.nonce() ) && ! _.isNull( model.nonce() ) ) {
+				if ( _.isFunction( model.nonce ) && ! _.isEmpty( model.nonce() ) ) {
 					beforeSend = options.beforeSend;
 
 					// Include the nonce with requests.
@@ -1490,6 +1490,7 @@
 	 * Initialize the wp-api, optionally passing the API root.
 	 *
 	 * @param {object} [args]
+	 * @param {string} [args.nonce] The nonce. Optional, defaults to wpApiSettings.nonce.
 	 * @param {string} [args.apiRoot] The api root. Optional, defaults to wpApiSettings.root.
 	 * @param {string} [args.versionString] The version string. Optional, defaults to wpApiSettings.root.
 	 * @param {object} [args.schema] The schema. Optional, will be fetched from API if not provided.
@@ -1498,7 +1499,7 @@
 		var endpoint, attributes = {}, deferred, promise;
 
 		args                      = args || {};
-		attributes.nonce          = args.nonce || wpApiSettings.nonce || '';
+		attributes.nonce          = _.isString( args.nonce ) ? args.nonce : ( wpApiSettings.nonce || '' );
 		attributes.apiRoot        = args.apiRoot || wpApiSettings.root || '/wp-json';
 		attributes.versionString  = args.versionString || wpApiSettings.versionString || 'wp/v2/';
 		attributes.schema         = args.schema || null;