From b7a73d6a45ef391ec6b0b65f608dd4e5ce170921 Mon Sep 17 00:00:00 2001
From: John Blackbourn <johnbillion@git.wordpress.org>
Date: Mon, 27 Jan 2025 14:41:22 +0000
Subject: [PATCH] Security: Enable the referrer policy header on the login
 screen.

This sets the same referrer policy of `strict-origin-when-cross-origin` that's used in the admin area to prevent a referrer being sent to other origins. This helps prevent unwanted exposure of potentially sensitive information that may be contained within the URL.

The header can be disabled if necessary by removing the `wp_admin_headers` action from the `login_init` hook.

Props kkmuffme, sagarlakhani, albatross10

Fixes #62273
See #42036
Built from https://develop.svn.wordpress.org/trunk@59712


git-svn-id: http://core.svn.wordpress.org/trunk@59054 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-admin/includes/admin-filters.php |  1 -
 wp-admin/includes/misc.php          | 23 -----------------------
 wp-includes/default-filters.php     |  1 +
 wp-includes/functions.php           | 24 ++++++++++++++++++++++++
 wp-includes/version.php             |  2 +-
 5 files changed, 26 insertions(+), 25 deletions(-)

diff --git a/wp-admin/includes/admin-filters.php b/wp-admin/includes/admin-filters.php
index 587fbc25e9..6776f5898a 100644
--- a/wp-admin/includes/admin-filters.php
+++ b/wp-admin/includes/admin-filters.php
@@ -44,7 +44,6 @@ add_action( 'admin_color_scheme_picker', 'admin_color_scheme_picker' );
 
 // Misc hooks.
 add_action( 'admin_init', 'wp_admin_headers' );
-add_action( 'login_init', 'wp_admin_headers' );
 add_action( 'admin_init', 'send_frame_options_header', 10, 0 );
 add_action( 'admin_head', 'wp_admin_canonical_url' );
 add_action( 'admin_head', 'wp_site_icon' );
diff --git a/wp-admin/includes/misc.php b/wp-admin/includes/misc.php
index 5ce34cf18d..afa36a2f2b 100644
--- a/wp-admin/includes/misc.php
+++ b/wp-admin/includes/misc.php
@@ -1415,29 +1415,6 @@ function wp_admin_canonical_url() {
 	<?php
 }
 
-/**
- * Sends a referrer policy header so referrers are not sent externally from administration screens.
- *
- * @since 4.9.0
- */
-function wp_admin_headers() {
-	$policy = 'strict-origin-when-cross-origin';
-
-	/**
-	 * Filters the admin referrer policy header value.
-	 *
-	 * @since 4.9.0
-	 * @since 4.9.5 The default value was changed to 'strict-origin-when-cross-origin'.
-	 *
-	 * @link https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
-	 *
-	 * @param string $policy The admin referrer policy header value. Default 'strict-origin-when-cross-origin'.
-	 */
-	$policy = apply_filters( 'admin_referrer_policy', $policy );
-
-	header( sprintf( 'Referrer-Policy: %s', $policy ) );
-}
-
 /**
  * Outputs JS that reloads the page if the user navigated to it with the Back or Forward button.
  *
diff --git a/wp-includes/default-filters.php b/wp-includes/default-filters.php
index 0468797ee2..54883b840d 100644
--- a/wp-includes/default-filters.php
+++ b/wp-includes/default-filters.php
@@ -389,6 +389,7 @@ add_action( 'login_head', 'print_admin_styles', 9 );
 add_action( 'login_head', 'wp_site_icon', 99 );
 add_action( 'login_footer', 'wp_print_footer_scripts', 20 );
 add_action( 'login_init', 'send_frame_options_header', 10, 0 );
+add_action( 'login_init', 'wp_admin_headers' );
 
 // Feed generator tags.
 foreach ( array( 'rss2_head', 'commentsrss2_head', 'rss_head', 'rdf_header', 'atom_head', 'comments_atom_head', 'opml_head', 'app_head' ) as $action ) {
diff --git a/wp-includes/functions.php b/wp-includes/functions.php
index 6e1d97677d..f46de3a282 100644
--- a/wp-includes/functions.php
+++ b/wp-includes/functions.php
@@ -7144,6 +7144,30 @@ function send_frame_options_header() {
 	header( 'X-Frame-Options: SAMEORIGIN' );
 }
 
+/**
+ * Sends a referrer policy header so referrers are not sent externally from administration screens.
+ *
+ * @since 4.9.0
+ * @since 6.8.0 This function was moved from `wp-admin/includes/misc.php` to `wp-includes/functions.php`.
+ */
+function wp_admin_headers() {
+	$policy = 'strict-origin-when-cross-origin';
+
+	/**
+	 * Filters the admin referrer policy header value.
+	 *
+	 * @since 4.9.0
+	 * @since 4.9.5 The default value was changed to 'strict-origin-when-cross-origin'.
+	 *
+	 * @link https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
+	 *
+	 * @param string $policy The admin referrer policy header value. Default 'strict-origin-when-cross-origin'.
+	 */
+	$policy = apply_filters( 'admin_referrer_policy', $policy );
+
+	header( sprintf( 'Referrer-Policy: %s', $policy ) );
+}
+
 /**
  * Retrieves a list of protocols to allow in HTML attributes.
  *
diff --git a/wp-includes/version.php b/wp-includes/version.php
index 3cba8ed6af..d94c43f1d5 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -16,7 +16,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '6.8-alpha-59711';
+$wp_version = '6.8-alpha-59712';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.