Make WordPress Core

Changeset 42831


Ignore:
Timestamp:
03/12/2018 10:58:24 AM (7 years ago)
Author:
johnbillion
Message:

Security: Loosen the admin referrer policy header value to allow the referring host to be sent from the admin area in all cases.

This allows referrer-restricted content from third parties (such as images and fonts) to continue working in the admin area.

Props aranwer104, qcmiao

Fixes #43285

Merges [42830] to the 4.9 branch.

Location:
branches/4.9
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/4.9

  • branches/4.9/src/wp-admin/includes/misc.php

    r42213 r42831  
    11001100 */
    11011101function wp_admin_headers() {
    1102     $policy = 'same-origin';
     1102    $policy = 'strict-origin-when-cross-origin';
    11031103
    11041104    /**
    1105      * Filters the admin referrer policy header value. Default 'same-origin'.
     1105     * Filters the admin referrer policy header value.
    11061106     *
    11071107     * @since 4.9.0
     1108     * @since 4.9.5 The default value was changed to 'strict-origin-when-cross-origin'.
     1109     *
    11081110     * @link https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
    11091111     *
    1110      * @param string $policy The referrer policy header value.
     1112     * @param string $policy The admin referrer policy header value. Default 'strict-origin-when-cross-origin'.
    11111113     */
    11121114    $policy = apply_filters( 'admin_referrer_policy', $policy );
Note: See TracChangeset for help on using the changeset viewer.