WordPress.org
Get WordPress

Make WordPress Core

Changeset 59712


Ignore:
Timestamp:
01/27/2025 02:39:18 PM (34 hours ago)
Author:
johnbillion
Message:

Security: Enable the referrer policy header on the login screen.

This sets the same referrer policy of strict-origin-when-cross-origin that's used in the admin area to prevent a referrer being sent to other origins. This helps prevent unwanted exposure of potentially sensitive information that may be contained within the URL.

The header can be disabled if necessary by removing the wp_admin_headers action from the login_init hook.

Props kkmuffme, sagarlakhani, albatross10

Fixes #62273
See #42036

Location:
trunk/src
Files:
4 edited

Legend:

Unmodified
Added
Removed

  • trunk/src/wp-admin/includes/admin-filters.php

    r59260 r59712  
    4545// Misc hooks.
    4646add_action( 'admin_init', 'wp_admin_headers' );
    47 add_action( 'login_init', 'wp_admin_headers' );
    4847add_action( 'admin_init', 'send_frame_options_header', 10, 0 );
    4948add_action( 'admin_head', 'wp_admin_canonical_url' );

  • trunk/src/wp-admin/includes/misc.php

    r58975 r59712  
    14171417
    14181418/**
    1419  * Sends a referrer policy header so referrers are not sent externally from administration screens.
    1420  *
    1421  * @since 4.9.0
    1422  */
    1423 function wp_admin_headers() {
    1424     $policy = 'strict-origin-when-cross-origin';
    1425 
    1426     /**
    1427      * Filters the admin referrer policy header value.
    1428      *
    1429      * @since 4.9.0
    1430      * @since 4.9.5 The default value was changed to 'strict-origin-when-cross-origin'.
    1431      *
    1432      * @link https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
    1433      *
    1434      * @param string $policy The admin referrer policy header value. Default 'strict-origin-when-cross-origin'.
    1435      */
    1436     $policy = apply_filters( 'admin_referrer_policy', $policy );
    1437 
    1438     header( sprintf( 'Referrer-Policy: %s', $policy ) );
    1439 }
    1440 
    1441 /**
    14421419 * Outputs JS that reloads the page if the user navigated to it with the Back or Forward button.
    14431420 *

  • trunk/src/wp-includes/default-filters.php

    r59688 r59712  
    390390add_action( 'login_footer', 'wp_print_footer_scripts', 20 );
    391391add_action( 'login_init', 'send_frame_options_header', 10, 0 );
     392add_action( 'login_init', 'wp_admin_headers' );
    392393
    393394// Feed generator tags.

  • trunk/src/wp-includes/functions.php

    r59688 r59712  
    71467146
    71477147/**
     7148 * Sends a referrer policy header so referrers are not sent externally from administration screens.
     7149 *
     7150 * @since 4.9.0
     7151 * @since 6.8.0 This function was moved from `wp-admin/includes/misc.php` to `wp-includes/functions.php`.
     7152 */
     7153function wp_admin_headers() {
     7154    $policy = 'strict-origin-when-cross-origin';
     7155
     7156    /**
     7157     * Filters the admin referrer policy header value.
     7158     *
     7159     * @since 4.9.0
     7160     * @since 4.9.5 The default value was changed to 'strict-origin-when-cross-origin'.
     7161     *
     7162     * @link https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
     7163     *
     7164     * @param string $policy The admin referrer policy header value. Default 'strict-origin-when-cross-origin'.
     7165     */
     7166    $policy = apply_filters( 'admin_referrer_policy', $policy );
     7167
     7168    header( sprintf( 'Referrer-Policy: %s', $policy ) );
     7169}
     7170
     7171/**
    71487172 * Retrieves a list of protocols to allow in HTML attributes.
    71497173 *
Note: See TracChangeset for help on using the changeset viewer.