WordPress.org

Make WordPress Core

Opened 4 months ago

Closed 3 months ago

Last modified 3 months ago

#43285 closed enhancement (fixed)

The default admin referrer policy header value block the access to media on other server in admin panel

Reported by: qcmiao Owned by: johnbillion
Milestone: 4.9.5 Priority: normal
Severity: normal Version: 4.9
Component: Security Keywords: has-patch
Focuses: administration Cc:

Description

As an update from #42036 and Changeset 41741. The default same-origin referrer policy may block the access to media like pictures from the media panel and the editor when they are stored on another server and have white-list referrer rule. Although we can still see the correct pics in the article, it is still very inconvenient that we cannot see them when we manage them or edit articles. And if we allow none-referrer visits to the pic server, it will make the copyright of pics unsafe.

So, I hope the default admin referrer policy can be changed. I think strict-origin-when-cross-origin is more suitable than same-origin. The strict-origin-when-cross-origin can also prevent other origins know the whole URL from admin panel.

The code be reflected is in wp-admin/includes/misc.php line.1148 function wp_admin_headers().

/**
 * Send a referrer policy header so referrers are not sent externally from administration screens.
 *
 * @since 4.9.0
 */
function wp_admin_headers() {
        $policy = 'same-origin';

        /**
         * Filters the admin referrer policy header value. Default 'same-origin'.
         *
         * @since 4.9.0
         * @link https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
         *
         * @param string $policy The referrer policy header value.
         */
        $policy = apply_filters( 'admin_referrer_policy', $policy );

        header( sprintf( 'Referrer-Policy: %s', $policy ) );
}

Attachments (3)

changeset_41741.diff (1.5 KB) - added by qcmiao 4 months ago.
43285.patch (380 bytes) - added by aranwer104 3 months ago.
43285-filter-desc.patch (586 bytes) - added by aranwer104 3 months ago.
Updated default value in filter doc block description.

Download all attachments as: .zip

Change History (11)

#1 @johnbillion
4 months ago

  • Keywords needs-patch good-first-bug added
  • Milestone changed from Awaiting Review to 5.0
  • Type changed from defect (bug) to enhancement

Thanks for the ticket @qcmiao and welcome to WordPress Trac.

Attempting to protect your media files by way of the referer header is not a good idea, however your recommendation to switch to strict-origin-when-cross-origin does make sense. I think it's the most appropriate referrer policy to use.

Last edited 4 months ago by johnbillion (previous) (diff)

#2 @qcmiao
4 months ago

  • Component changed from Media to HTTP API

@aranwer104
3 months ago

#3 @obenland
3 months ago

  • Owner set to aranwer104
  • Status changed from new to assigned

@aranwer104
3 months ago

Updated default value in filter doc block description.

#4 @johnbillion
3 months ago

  • Keywords has-patch added; needs-patch removed
  • Owner changed from aranwer104 to johnbillion
  • Status changed from assigned to reviewing

#5 @johnbillion
3 months ago

  • Keywords good-first-bug removed
  • Milestone changed from 5.0 to 4.9.5

Pushing this into the next minor because this is also blocking third party fonts in the admin area which rely on a referer header being present (affects both fonts.net and typography.com).

#6 @johnbillion
3 months ago

  • Component changed from HTTP API to Security

#7 @johnbillion
3 months ago

  • Resolution set to fixed
  • Status changed from reviewing to closed

In 42830:

Security: Loosen the admin referrer policy header value to allow the referring host to be sent from the admin area in all cases.

This allows referrer-restricted content from third parties (such as images and fonts) to continue working in the admin area.

Props aranwer104, qcmiao

Fixes #43285

#8 @johnbillion
3 months ago

In 42831:

Security: Loosen the admin referrer policy header value to allow the referring host to be sent from the admin area in all cases.

This allows referrer-restricted content from third parties (such as images and fonts) to continue working in the admin area.

Props aranwer104, qcmiao

Fixes #43285

Merges [42830] to the 4.9 branch.

Note: See TracTickets for help on using tickets.