Make WordPress Core

Opened 13 days ago

Last modified 4 days ago

#43285 reviewing enhancement

The default admin referrer policy header value block the access to media on other server in admin panel

Reported by: qcmiao Owned by: johnbillion
Milestone: 5.0 Priority: normal
Severity: normal Version: 4.9
Component: HTTP API Keywords: good-first-bug has-patch
Focuses: administration Cc:


As an update from #42036 and Changeset 41741. The default same-origin referrer policy may block the access to media like pictures from the media panel and the editor when they are stored on another server and have white-list referrer rule. Although we can still see the correct pics in the article, it is still very inconvenient that we cannot see them when we manage them or edit articles. And if we allow none-referrer visits to the pic server, it will make the copyright of pics unsafe.

So, I hope the default admin referrer policy can be changed. I think strict-origin-when-cross-origin is more suitable than same-origin. The strict-origin-when-cross-origin can also prevent other origins know the whole URL from admin panel.

The code be reflected is in wp-admin/includes/misc.php line.1148 function wp_admin_headers().

 * Send a referrer policy header so referrers are not sent externally from administration screens.
 * @since 4.9.0
function wp_admin_headers() {
        $policy = 'same-origin';

         * Filters the admin referrer policy header value. Default 'same-origin'.
         * @since 4.9.0
         * @link https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
         * @param string $policy The referrer policy header value.
        $policy = apply_filters( 'admin_referrer_policy', $policy );

        header( sprintf( 'Referrer-Policy: %s', $policy ) );

Attachments (3)

changeset_41741.diff (1.5 KB) - added by qcmiao 13 days ago.
43285.patch (380 bytes) - added by aranwer104 7 days ago.
43285-filter-desc.patch (586 bytes) - added by aranwer104 6 days ago.
Updated default value in filter doc block description.

Download all attachments as: .zip

Change History (7)

#1 @johnbillion
12 days ago

  • Keywords needs-patch good-first-bug added
  • Milestone changed from Awaiting Review to 5.0
  • Type changed from defect (bug) to enhancement

Thanks for the ticket @qcmiao and welcome to WordPress Trac.

Attempting to protect your media files by way of the referer header is not a good idea, however your recommendation to switch to strict-origin-when-cross-origin does make sense. I think it's the most appropriate referrer policy to use.

Last edited 12 days ago by johnbillion (previous) (diff)

#2 @qcmiao
12 days ago

  • Component changed from Media to HTTP API

7 days ago

#3 @obenland
7 days ago

  • Owner set to aranwer104
  • Status changed from new to assigned

6 days ago

Updated default value in filter doc block description.

#4 @johnbillion
4 days ago

  • Keywords has-patch added; needs-patch removed
  • Owner changed from aranwer104 to johnbillion
  • Status changed from assigned to reviewing
Note: See TracTickets for help on using tickets.