Changeset 59712 for trunk/src/wp-admin/includes/admin-filters.php

Timestamp:

01/27/2025 02:39:18 PM (12 months ago)

Author:

johnbillion

Message:

Security: Enable the referrer policy header on the login screen.

This sets the same referrer policy of strict-origin-when-cross-origin that's used in the admin area to prevent a referrer being sent to other origins. This helps prevent unwanted exposure of potentially sensitive information that may be contained within the URL.

The header can be disabled if necessary by removing the wp_admin_headers action from the login_init hook.

Props kkmuffme, sagarlakhani, albatross10

Fixes #62273
See #42036

File:

• trunk/src/wp-admin/includes/admin-filters.php (modified) (1 diff)

trunk/src/wp-admin/includes/admin-filters.php

@@ -45 +45 @@
 // Misc hooks.
 add_action( 'admin_init', 'wp_admin_headers' );
-add_action( 'login_init', 'wp_admin_headers' );
 add_action( 'admin_init', 'send_frame_options_header', 10, 0 );
 add_action( 'admin_head', 'wp_admin_canonical_url' );