WordPress.org
Get WordPress

Make WordPress Core

Opened 3 months ago

Closed 3 months ago

#62881 closed defect (bug) (fixed)

Strict referrer policy is breaking post/page passwords

Reported by: zodiac1978's profile zodiac1978 Owned by: johnbillion's profile johnbillion
Milestone: 6.8 Priority: normal
Severity: normal Version:
Component: Posts, Post Types Keywords: good-first-bug has-patch
Focuses: Cc:

Description

I hoped #62273 could have fixed this problem, but @johnbillion said this is not the case and asked me to open a new ticket here. So, here it is:

If we password protect a post or page the password gets send to /wp-login.php?action=postpass

The code can be seen on this link:
https://github.com/WordPress/WordPress/blob/master/wp-login.php#L766-L797

The problem is now this line:

wp_safe_redirect( wp_get_referer() );

If no referrer is there (or only the domain, but no path) the redirect is not working at all (White Screen of Death) or after entering the password you get redirected to the domain instead of the post/page (although the postpass cookie is now there and access is granted, you need to find the page again).

This bug was first reported in the forums:
https://wordpress.org/support/topic/password-protected-page-no-longer-working/

Relevant documentation can be found here:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy

On Apache you can disable the referrer with these lines:

# Referrer-Policy
<IfModule mod_headers.c>
	Header set Referrer-Policy "no-referrer"
</IfModule>

or set to only send the domain (no path):

# Referrer-Policy
<IfModule mod_headers.c>
	Header set Referrer-Policy "origin"
</IfModule>

The suggested solution from @johnbillion in #62273 was this idea:

Seem like it would be easily solved by adding hidden redirect_to field in get_the_password_form().

Change History (5)

#1 @johnbillion
3 months ago

  • Keywords good-first-bug added
  • Milestone changed from Awaiting Review to Future Release

#2 @johnbillion
3 months ago

  • Component changed from Login and Registration to Posts, Post Types

This ticket was mentioned in PR #8220 on WordPress/wordpress-develop by @yogeshbhutkar.
3 months ago #3

  • Keywords has-patch added; needs-patch removed

### Description

Adds a hidden redirect_to field to the password protection form to ensure proper redirection when Referrer-Policy is set to 'no-referrer'. This fixes the issue where users would see a white screen or get redirected to the homepage after entering a correct password.

Previously, the redirect relied solely on wp_get_referer() which fails when:

  • Referrer-Policy is set to 'no-referrer'
  • Direct URL access is used
  • Coming from external domains

### Testing Instructions

  1. Create a password-protected post
  2. Set Referrer-Policy to 'no-referrer' in your server config
  3. Visit the protected post
  4. Enter the correct password
  5. Verify you're redirected back to the post

Trac ticket: https://core.trac.wordpress.org/ticket/62881

#4 @johnbillion
3 months ago

  • Milestone changed from Future Release to 6.8
  • Owner set to johnbillion
  • Status changed from new to reviewing

#5 @johnbillion
3 months ago

  • Resolution set to fixed
  • Status changed from reviewing to closed

In 59753:

Posts, Post Types: Explicitly pass a redirect URL for the post permalink when submitting the post password form.

This allows the subsequent redirect to behave as expected if a site is using a strict referrer policy on the front end which prevents the full referrer from being sent.

Props zodiac1978, yogeshbhutkar, hbhalodia, mukesh27.

Fixes #62881

Note: See TracTickets for help on using tickets.