WordPress.org
Get WordPress

Make WordPress Core

Opened 6 months ago

Closed 3 months ago

Last modified 3 months ago

#62273 closed defect (bug) (fixed)

Referrer-Policy header missing in login

Reported by: kkmuffme's profile kkmuffme Owned by: johnbillion's profile johnbillion
Milestone: 6.8 Priority: normal
Severity: normal Version: 4.9
Component: Login and Registration Keywords: has-patch
Focuses: Cc:

Description (last modified by SergeyBiryukov)

[41741] from #42036 added the Referrer-Policy header on wp-admin and the login page.

However this does not (and from what I can see) has never worked on wp-login.
It's hooked to add_action( 'login_init', 'wp_admin_headers' ); but the wp_admin_headers function is not loaded on the login page, as only gets loaded in wp-admin.

@johnbillion

Attachments (1)

62273.patch (3.3 KB) - added by sagarlakhani 4 months ago.

Download all attachments as: .zip

Change History (11)

#1 @SergeyBiryukov
6 months ago

  • Description modified (diff)
  • Milestone changed from Awaiting Review to 6.8

#2 @johnbillion
6 months ago

  • Component changed from Security to Login and Registration
  • Keywords needs-patch added
  • Severity changed from critical to normal

I concur that it looks like this has never worked on the login screen because admin-filters.php isn't loaded there and the wp_admin_headers() function isn't loaded there either.

#3 @albatross10
4 months ago

Hello @SergeyBiryukov , @johnbillion

Upon further investigation, I did find that the file https://github.com/WordPress/wordpress-develop/blob/trunk/src/wp-admin/includes/misc.php is not loaded when wp-login is loaded. So if we try to add the filter to a file that is loaded during wp-login, it would still not work.

I found that that https://github.com/WordPress/wordpress-develop/blob/trunk/src/wp-includes/functions.php gets loaded both for login and admin. We can move the wp_admin_headers() to this file and still have no issues. Then we can call the login_init filter in https://github.com/WordPress/wordpress-develop/blob/trunk/src/wp-includes/default-filters.php to set the headers.

Last edited 4 months ago by albatross10 (previous) (diff)

#4 @aslamdoctor
4 months ago

@kkmuffme so, are we looking for adding just the Referrer-Policy to login page or load all the admin headers added by wp_admin_headers() ?

@sagarlakhani
4 months ago

#5 @sagarlakhani
4 months ago

  • Keywords has-patch added; needs-patch removed

#6 @albatross10
4 months ago

@aslamdoctor

That is a good question and it might be of interest going forwards. But it seems that this was intended to work as per #42036. So it should load the headers

#7 @johnbillion
3 months ago

  • Owner set to johnbillion
  • Status changed from new to reviewing

#8 @johnbillion
3 months ago

  • Resolution set to fixed
  • Status changed from reviewing to closed

In 59712:

Security: Enable the referrer policy header on the login screen.

This sets the same referrer policy of strict-origin-when-cross-origin that's used in the admin area to prevent a referrer being sent to other origins. This helps prevent unwanted exposure of potentially sensitive information that may be contained within the URL.

The header can be disabled if necessary by removing the wp_admin_headers action from the login_init hook.

Props kkmuffme, sagarlakhani, albatross10

Fixes #62273
See #42036

#9 @zodiac1978
3 months ago

This would hopefully fix another bug:

If no referrer is sent (maybe because of a no-referrer header) the redirect on /wp-login.php?action=postpass does not work correctly. Overwriting the header would fix this. Correct?

#10 @johnbillion
3 months ago

@zodiac1978 I don't believe this change will affect that behaviour. This referrer policy won't affect how wp-login.php can detect its own referrer, which is what I think you're asking.

If there isn't already a ticket for that bug, could you open one? Seem like it would be easily solved by adding hidden redirect_to field in get_the_password_form().

Note: See TracTickets for help on using tickets.