Make WordPress Core

Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#43285 closed enhancement (fixed)

The default admin referrer policy header value block the access to media on other server in admin panel

Reported by: qcmiao's profile qcmiao Owned by: johnbillion's profile johnbillion
Milestone: 4.9.5 Priority: normal
Severity: normal Version: 4.9
Component: Security Keywords: has-patch
Focuses: administration Cc:

Description

As an update from #42036 and Changeset 41741. The default same-origin referrer policy may block the access to media like pictures from the media panel and the editor when they are stored on another server and have white-list referrer rule. Although we can still see the correct pics in the article, it is still very inconvenient that we cannot see them when we manage them or edit articles. And if we allow none-referrer visits to the pic server, it will make the copyright of pics unsafe.

So, I hope the default admin referrer policy can be changed. I think strict-origin-when-cross-origin is more suitable than same-origin. The strict-origin-when-cross-origin can also prevent other origins know the whole URL from admin panel.

The code be reflected is in wp-admin/includes/misc.php line.1148 function wp_admin_headers().

/**
 * Send a referrer policy header so referrers are not sent externally from administration screens.
 *
 * @since 4.9.0
 */
function wp_admin_headers() {
        $policy = 'same-origin';

        /**
         * Filters the admin referrer policy header value. Default 'same-origin'.
         *
         * @since 4.9.0
         * @link https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
         *
         * @param string $policy The referrer policy header value.
         */
        $policy = apply_filters( 'admin_referrer_policy', $policy );

        header( sprintf( 'Referrer-Policy: %s', $policy ) );
}

Attachments (3)

changeset_41741.diff (1.5 KB) - added by qcmiao 7 years ago.
43285.patch (380 bytes) - added by aranwer104 7 years ago.
43285-filter-desc.patch (586 bytes) - added by aranwer104 7 years ago.
Updated default value in filter doc block description.

Download all attachments as: .zip

Change History (11)

#1 @johnbillion
7 years ago

  • Keywords needs-patch good-first-bug added
  • Milestone changed from Awaiting Review to 5.0
  • Type changed from defect (bug) to enhancement

Thanks for the ticket @qcmiao and welcome to WordPress Trac.

Attempting to protect your media files by way of the referer header is not a good idea, however your recommendation to switch to strict-origin-when-cross-origin does make sense. I think it's the most appropriate referrer policy to use.

Last edited 7 years ago by johnbillion (previous) (diff)

#2 @qcmiao
7 years ago

  • Component changed from Media to HTTP API

@aranwer104
7 years ago

#3 @obenland
7 years ago

  • Owner set to aranwer104
  • Status changed from new to assigned

@aranwer104
7 years ago

Updated default value in filter doc block description.

#4 @johnbillion
7 years ago

  • Keywords has-patch added; needs-patch removed
  • Owner changed from aranwer104 to johnbillion
  • Status changed from assigned to reviewing

#5 @johnbillion
7 years ago

  • Keywords good-first-bug removed
  • Milestone changed from 5.0 to 4.9.5

Pushing this into the next minor because this is also blocking third party fonts in the admin area which rely on a referer header being present (affects both fonts.net and typography.com).

#6 @johnbillion
7 years ago

  • Component changed from HTTP API to Security

#7 @johnbillion
7 years ago

  • Resolution set to fixed
  • Status changed from reviewing to closed

In 42830:

Security: Loosen the admin referrer policy header value to allow the referring host to be sent from the admin area in all cases.

This allows referrer-restricted content from third parties (such as images and fonts) to continue working in the admin area.

Props aranwer104, qcmiao

Fixes #43285

#8 @johnbillion
7 years ago

In 42831:

Security: Loosen the admin referrer policy header value to allow the referring host to be sent from the admin area in all cases.

This allows referrer-restricted content from third parties (such as images and fonts) to continue working in the admin area.

Props aranwer104, qcmiao

Fixes #43285

Merges [42830] to the 4.9 branch.

Note: See TracTickets for help on using tickets.