Make WordPress Core


Ignore:
Timestamp:
03/12/2018 10:56:53 AM (7 years ago)
Author:
johnbillion
Message:

Security: Loosen the admin referrer policy header value to allow the referring host to be sent from the admin area in all cases.

This allows referrer-restricted content from third parties (such as images and fonts) to continue working in the admin area.

Props aranwer104, qcmiao

Fixes #43285

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/includes/misc.php

    r42757 r42830  
    11471147 */
    11481148function wp_admin_headers() {
    1149     $policy = 'same-origin';
     1149    $policy = 'strict-origin-when-cross-origin';
    11501150
    11511151    /**
    1152      * Filters the admin referrer policy header value. Default 'same-origin'.
     1152     * Filters the admin referrer policy header value.
    11531153     *
    11541154     * @since 4.9.0
     1155     * @since 4.9.5 The default value was changed to 'strict-origin-when-cross-origin'.
     1156     *
    11551157     * @link https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
    11561158     *
    1157      * @param string $policy The referrer policy header value.
     1159     * @param string $policy The admin referrer policy header value. Default 'strict-origin-when-cross-origin'.
    11581160     */
    11591161    $policy = apply_filters( 'admin_referrer_policy', $policy );
Note: See TracChangeset for help on using the changeset viewer.