#43285 closed enhancement (fixed)
The default admin referrer policy header value block the access to media on other server in admin panel
Reported by: | qcmiao | Owned by: | johnbillion |
---|---|---|---|
Milestone: | 4.9.5 | Priority: | normal |
Severity: | normal | Version: | 4.9 |
Component: | Security | Keywords: | has-patch |
Focuses: | administration | Cc: |
Description
As an update from #42036 and Changeset 41741. The default same-origin
referrer policy may block the access to media like pictures from the media panel and the editor when they are stored on another server and have white-list referrer rule. Although we can still see the correct pics in the article, it is still very inconvenient that we cannot see them when we manage them or edit articles. And if we allow none-referrer visits to the pic server, it will make the copyright of pics unsafe.
So, I hope the default admin referrer policy can be changed. I think strict-origin-when-cross-origin
is more suitable than same-origin
. The strict-origin-when-cross-origin
can also prevent other origins know the whole URL from admin panel.
The code be reflected is in wp-admin/includes/misc.php line.1148 function wp_admin_headers()
.
/**
* Send a referrer policy header so referrers are not sent externally from administration screens.
*
* @since 4.9.0
*/
function wp_admin_headers() {
$policy = 'same-origin';
/**
* Filters the admin referrer policy header value. Default 'same-origin'.
*
* @since 4.9.0
* @link https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
*
* @param string $policy The referrer policy header value.
*/
$policy = apply_filters( 'admin_referrer_policy', $policy );
header( sprintf( 'Referrer-Policy: %s', $policy ) );
}
Attachments (3)
Change History (11)
#1
@
7 years ago
- Keywords needs-patch good-first-bug added
- Milestone changed from Awaiting Review to 5.0
- Type changed from defect (bug) to enhancement
#4
@
7 years ago
- Keywords has-patch added; needs-patch removed
- Owner changed from aranwer104 to johnbillion
- Status changed from assigned to reviewing
Thanks for the ticket @qcmiao and welcome to WordPress Trac.
Attempting to protect your media files by way of the referer header is not a good idea, however your recommendation to switch to
strict-origin-when-cross-origin
does make sense. I think it's the most appropriate referrer policy to use.