WordPress.org

Make WordPress Core

Opened 5 months ago

Last modified 5 months ago

#47170 new defect (bug)

wp_sensitive_page_meta breaks login on iPad devices

Reported by: madhazelnut Owned by:
Milestone: Awaiting Review Priority: normal
Severity: major Version: 5.0
Component: Login and Registration Keywords:
Focuses: Cc:
PR Number:

Description

iPad Safari will throw a

Failed to set referrer policy: The value 'strict-origin-when-cross-origin' is not one of 'no-referrer', 'origin', 'no-referrer-when-downgrade', or 'unsafe-url'. Defaulting to 'no-referrer'.

on wp-login.php page because it does not understand strict-origin-when-cross-origin value for the referer policy.

This effectively breaks the login completely at least on nginx sites.

Present starting with 4.9.10 (5.0.0 if chronologically).

Change History (3)

#1 @SergeyBiryukov
5 months ago

Introduced in [44021].

#2 @madhazelnut
5 months ago

Rectification about the severity: it happens to completely break login when nginx is configured with mod_sec or anything else that blocks access to wp-login.php without a referrer string. Outside those cases it will just throw a browser console error, but the login will continue to function.

#3 @earnjam
5 months ago

Haven't tested to confirm, but may see that error in Edge, IE and iOS Safari based on browser support for that directive: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy#Browser_compatibility

Note: See TracTickets for help on using tickets.