WordPress.org

Make WordPress Core

Opened 19 months ago

Closed 19 months ago

Last modified 17 months ago

#42036 closed enhancement (fixed)

Add same-origin referrer-policy header to WP Admin pages

Reported by: joostdevalk Owned by: johnbillion
Milestone: 4.9 Priority: normal
Severity: normal Version:
Component: Security Keywords: has-patch commit
Focuses: Cc:

Description

When a user clicks a link in the WP-Admin and goes to another site, the http referrer gets set. That means that site can see in their analytics and in their access logs where the user came from. This means that the location of people's wp-admin folders isn't kept safe. Especially if plugins add important data to the URL, that data is also not kept safe.

The above is why I'm suggesting implementing a referrer-policy header. This header, when set to same-origin, prevents the browser from sending the referrer when going to another site. The referrer _is_ sent when you from one page to the other in the admin, so we can keep using that reliably.

More info:

Attachments (3)

42036.diff (475 bytes) - added by joostdevalk 19 months ago.
Patch
42036.2.diff (1.5 KB) - added by joostdevalk 19 months ago.
Patch v2
42036.3.diff (1.5 KB) - added by joostdevalk 19 months ago.
Patch v3

Download all attachments as: .zip

Change History (17)

@joostdevalk
19 months ago

Patch

#1 @joostdevalk
19 months ago

  • Component changed from General to Security
  • Owner set to joostdevalk
  • Status changed from new to assigned

#2 follow-up: @QROkes
19 months ago

You should consider that some customized servers are sending this header, so it could result in a duplicate header.

#3 in reply to: ↑ 2 ; follow-up: @joostdevalk
19 months ago

Replying to QROkes:

You should consider that some customized servers are sending this header, so it could result in a duplicate header.

Having the header twice will not undo it.

#4 in reply to: ↑ 3 @QROkes
19 months ago

Replying to joostdevalk:

Replying to QROkes:

You should consider that some customized servers are sending this header, so it could result in a duplicate header.

Having the header twice will not undo it.

It's not that simple. HTTP RFC2616 available here says:
https://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2
"Multiple message-header fields with the same field-name MAY be present in a message if and only if the entire field-value for that header field is defined as a comma-separated list [i.e., #(values)]. It MUST be possible to combine the multiple header fields into one "field-name: field-value" pair, without changing the semantics of the message, by appending each subsequent field-value to the first, each separated by a comma. The order in which header fields with the same field-name are received is therefore significant to the interpretation of the combined field value, and thus a proxy MUST NOT change the order of these field values when a message is forwarded. "

#5 @joostdevalk
19 months ago

As far as I know, and I'd love to be proven wrong: there's nothing we could do. The default is already set to true as the second parameter for header in the patch, thereby it tries to replace other headers of the same name, resulting from code.

Other than that, the fact that people have and will add headers to output is not something WordPress core can account for...

#6 @peterwilsoncc
19 months ago

  • Keywords commit added

While an existing header through server configuration is a legitimate concern, in this case it's mitigated by being a new spec.

#7 @johnbillion
19 months ago

  • Keywords needs-refresh added; commit removed

+1 for this from me, but I think the header should be output on a hook so it can be unhooked in case a site owner wants to implement an even more strict referrer policy. After a cursory glance, it looks like admin_init might be the only existing hook that's appropriate. Or a new action could be added to the top of wp-admin/admin-header.php.

#8 @johnbillion
19 months ago

Should this be added to wp-login.php too?

@joostdevalk
19 months ago

Patch v2

@joostdevalk
19 months ago

Patch v3

#9 @joostdevalk
19 months ago

Added a new patch that introduces the function wp_admin_headers, and fires that on admin_init and login_init. This function also allows the policy to be filtered through the admin_referrer_policy filter.

#10 @johnbillion
19 months ago

  • Keywords needs-refresh removed
  • Owner changed from joostdevalk to johnbillion
  • Status changed from assigned to reviewing

I like the look of this.

#11 @johnbillion
19 months ago

  • Keywords commit added

This ticket was mentioned in Slack in #core by jeffpaul. View the logs.


19 months ago

#13 @johnbillion
19 months ago

  • Resolution set to fixed
  • Status changed from reviewing to closed

In 41741:

Security: Add a referrer policy header to the admin and login screens.

This sets a referrer policy of same-origin which adds hardening by preventing a referrer being sent from the admin area or login screens to other origins. This helps prevent unwanted exposure of potentially sensitive information that may be contained within URLs.

This change introduces a new filter, admin_referrer_policy, for filtering the referrer policy header value. The header can be disabled if necessary by removing the wp_admin_headers action from the admin_init and login_init hooks.

Props joostdevalk
Fixes #42036

This ticket was mentioned in Slack in #core by ocean90. View the logs.


17 months ago

Note: See TracTickets for help on using tickets.