Make WordPress Core

Opened 5 years ago

Last modified 5 years ago

#47788 new defect (bug)

send_headers hook does not work in wp-login or wp-admin

Reported by: kysymysteke's profile kysymysteke Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 5.2.2
Component: Administration Keywords: 2nd-opinion has-patch
Focuses: administration, privacy Cc:

Description

Assume that I want to start using CSP (Content Security Policy) on my website. I add this to my theme's functions.php:

<?php
add_action('send_headers', 'set_CSP_header');

function set_CSP_header() {
 $CSP = "Content-Security-Policy: default-src 'self';";
 header($CSP);
}

You would assume that this would add the CSP everywhere on the website, but that is not so. This does NOT add the CSP header to wp-login or wp-admin. Instead website admins have to use the 'login_init' and 'admin_init' hooks in addition to 'send_headers', to get CSP everywhere on the website.

This is unintuitive and seems like a bug to me.

Attachments (1)

headers.patch (1.1 KB) - added by pierlo 5 years ago.
Call callback function for send_headers action hook for admin and login pages

Download all attachments as: .zip

Change History (4)

#1 @SergeyBiryukov
5 years ago

  • Component changed from General to Administration

#2 in reply to: ↑ description @thelmachido
5 years ago

Replying to kysymysteke:

Assume that I want to start using CSP (Content Security Policy) on my website. I add this to my theme's functions.php:

<?php
add_action('send_headers', 'set_CSP_header');

function set_CSP_header() {
 $CSP = "Content-Security-Policy: default-src 'self';";
 header($CSP);
}

You would assume that this would add the CSP everywhere on the website, but that is not so. This does NOT add the CSP header to wp-login or wp-admin. Instead website admins have to use the 'login_init' and 'admin_init' hooks in addition to 'send_headers', to get CSP everywhere on the website.

This is unintuitive and seems like a bug to me.

Hi @kysymysteke ,

Here is another option...
In my opinion the best way to add protection and security to a website is by using the .htaccess
From my understanding the most advised way of adding CSP to WordPress is by adding CSP rules to the .htaccess file, bear in mind that for this to work your web server must have the headers module activated. Add the code below to your .htaccess file.

<?php
<IfModule mod_headers.c>
Header set Content-Security-Policy "default-src 'self'; img-src 'self' http: https: *.gravatar.com;"
</IfModule

This allows anything to be loaded from the website plus images from the specified domain (gravatar.com)
over http & https. Anything else will be blocked by your browser.

Anyhoo this then blocks loading of JavaScript, images or data from other trusted domains e.g plugins so you will need to approve trusted domains using 'unsafe-inline' . For instance say you want to use Google Analytics you add the code below:-

<?php
scrip-src 'self' 'unsafe-inline' http: https: *.google-analytics.com;.

Adding CSP on your website will break your back-end so you need to add the following rules to the .htaccess file in the wp-admin folder.

<?php
<IfModule mod_headers.c>
Header set Content-Security-Policy "default-src 'self'; img-src 'self' data: http: https: *.gravatar.com; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' http: https: fonts.googleapis.com; font-src 'self' data: http: https: fonts.googleapis.com themes.googleusercontent.com;"
</IfModule>

An alternative would be to disable CSP rules on your admin area but l guess in your case that's not an option.

@pierlo
5 years ago

Call callback function for send_headers action hook for admin and login pages

#3 @pierlo
5 years ago

  • Keywords has-patch added; needs-patch removed
Note: See TracTickets for help on using tickets.