#42036 closed enhancement (fixed)
Add same-origin referrer-policy header to WP Admin pages
Reported by: | joostdevalk | Owned by: | johnbillion |
---|---|---|---|
Milestone: | 4.9 | Priority: | normal |
Severity: | normal | Version: | |
Component: | Security | Keywords: | has-patch commit |
Focuses: | Cc: |
Description
When a user clicks a link in the WP-Admin and goes to another site, the http referrer gets set. That means that site can see in their analytics and in their access logs where the user came from. This means that the location of people's wp-admin folders isn't kept safe. Especially if plugins add important data to the URL, that data is also not kept safe.
The above is why I'm suggesting implementing a referrer-policy header. This header, when set to same-origin, prevents the browser from sending the referrer when going to another site. The referrer _is_ sent when you from one page to the other in the admin, so we can keep using that reliably.
More info:
Attachments (3)
Change History (17)
#1
@
7 years ago
- Component changed from General to Security
- Owner set to joostdevalk
- Status changed from new to assigned
#2
follow-up:
↓ 3
@
7 years ago
You should consider that some customized servers are sending this header, so it could result in a duplicate header.
#3
in reply to:
↑ 2
;
follow-up:
↓ 4
@
7 years ago
Replying to QROkes:
You should consider that some customized servers are sending this header, so it could result in a duplicate header.
Having the header twice will not undo it.
#4
in reply to:
↑ 3
@
7 years ago
Replying to joostdevalk:
Replying to QROkes:
You should consider that some customized servers are sending this header, so it could result in a duplicate header.
Having the header twice will not undo it.
It's not that simple. HTTP RFC2616 available here says:
https://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2
"Multiple message-header fields with the same field-name MAY be present in a message if and only if the entire field-value for that header field is defined as a comma-separated list [i.e., #(values)]. It MUST be possible to combine the multiple header fields into one "field-name: field-value" pair, without changing the semantics of the message, by appending each subsequent field-value to the first, each separated by a comma. The order in which header fields with the same field-name are received is therefore significant to the interpretation of the combined field value, and thus a proxy MUST NOT change the order of these field values when a message is forwarded. "
#5
@
7 years ago
As far as I know, and I'd love to be proven wrong: there's nothing we could do. The default is already set to true
as the second parameter for header
in the patch, thereby it tries to replace other headers of the same name, resulting from code.
Other than that, the fact that people have and will add headers to output is not something WordPress core can account for...
#6
@
7 years ago
- Keywords commit added
While an existing header through server configuration is a legitimate concern, in this case it's mitigated by being a new spec.
#7
@
7 years ago
- Keywords needs-refresh added; commit removed
+1 for this from me, but I think the header should be output on a hook so it can be unhooked in case a site owner wants to implement an even more strict referrer policy. After a cursory glance, it looks like admin_init
might be the only existing hook that's appropriate. Or a new action could be added to the top of wp-admin/admin-header.php
.
#9
@
7 years ago
Added a new patch that introduces the function wp_admin_headers
, and fires that on admin_init
and login_init
. This function also allows the policy to be filtered through the admin_referrer_policy
filter.
#10
@
7 years ago
- Keywords needs-refresh removed
- Owner changed from joostdevalk to johnbillion
- Status changed from assigned to reviewing
I like the look of this.
Patch