WordPress.org

Make WordPress Core


Ignore:
Timestamp:
10/04/2017 06:24:17 PM (23 months ago)
Author:
johnbillion
Message:

Security: Add a referrer policy header to the admin and login screens.

This sets a referrer policy of same-origin which adds hardening by preventing a referrer being sent from the admin area or login screens to other origins. This helps prevent unwanted exposure of potentially sensitive information that may be contained within URLs.

This change introduces a new filter, admin_referrer_policy, for filtering the referrer policy header value. The header can be disabled if necessary by removing the wp_admin_headers action from the admin_init and login_init hooks.

Props joostdevalk
Fixes #42036

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/includes/misc.php

    r41254 r41741  
    921921
    922922/**
     923 * Send a referrer policy header so referrers are not sent externally from administration screens.
     924 *
     925 * @since 4.9.0
     926 */
     927function wp_admin_headers() {
     928    $policy = 'same-origin';
     929
     930    /**
     931     * Filters the admin referrer policy header value. Default 'same-origin'.
     932     *
     933     * @since 4.9.0
     934     * @link https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
     935     *
     936     * @param string $policy The referrer policy header value.
     937     */
     938    $policy = apply_filters( 'admin_referrer_policy', $policy );
     939
     940    header( sprintf( 'Referrer-Policy: %s', $policy ) );
     941}
     942
     943/**
    923944 * Outputs JS that reloads the page if the user navigated to it with the Back or Forward button.
    924945 *
Note: See TracChangeset for help on using the changeset viewer.