Make WordPress Core

Opened 5 years ago

Last modified 12 months ago

#46296 new defect (bug)

Posts set to 'private' and password protected should return a 403 HTTP header status

Reported by: jonoaldersonwp's profile jonoaldersonwp Owned by:
Milestone: Awaiting Review Priority: normal
Severity: minor Version:
Component: Posts, Post Types Keywords: seo has-patch
Focuses: Cc:

Description

These currently output a 200 status, which may result in search engines and external agents indexing them.

If the user doesn't have access permissions, a 403 header status should be returned.

https://ci3.googleusercontent.com/proxy/1s4a4RyK3Oxal9c6hENPJ8kBEsn7Dc3AnwjdTUsFPg-Yg2Eb5PSOTCZWzm6v6CM3Jb_F7Oerojh9MPVkkivaxGdsuITKENP-D7FbF8a9JDFDFH-D77zEKyKXnHM3nqHrtOgMFCrg68sS4j1HtnO5m3j3PQaA=s0-d-e1-ft#https://user-images.githubusercontent.com/487629/53154266-af22e680-35ba-11e9-9f4e-eb520634ffff.png

Attachments (1)

46296.diff (429 bytes) - added by Presskopp 12 months ago.

Download all attachments as: .zip

Change History (6)

#1 @earnjam
5 years ago

Private returns a 404. See #23407

Based on the screenshot I think you specifically mean password protected pages?

#2 @jonoaldersonwp
5 years ago

  • Summary changed from Posts set to 'private' should return a 403 HTTP header status to Posts set to 'private' and password protected should return a 403 HTTP header status

Ah, yes. Good clarification, ty.

#3 @Presskopp
12 months ago

@jonoaldersonwp what do you say to

I disagree with this specifically - privately published posts should not be "known" to anybody who shouldn't have access. Returning a 403 instead of 404 would make it known.

by @helen (https://core.trac.wordpress.org/ticket/29829#comment:2)

and

Private is not meant to be "you need an account" private. It is meant to be "it doesn't exist" private. Let's not tip our hats with a 403.

by @nacin (https://core.trac.wordpress.org/ticket/23407#comment:4)

#4 @Presskopp
12 months ago

  • Keywords needs-patch added

If 403 or 404, but surely not 200

#5 @Presskopp
12 months ago

  • Keywords has-patch added; needs-patch removed

Rethinking this, it seems like the 404 for private is perfectly fine, only the 200 for password protected not. Patching to 403 therefore. I assume the patch could be more elegant, but I'm happy I made it so far.

@Presskopp
12 months ago

Note: See TracTickets for help on using tickets.