From d7025e778704c7cd98f0a3544fbe93cacbef7ae6 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Mon, 12 Mar 2018 10:57:35 +0000 Subject: [PATCH] Security: Loosen the admin referrer policy header value to allow the referring host to be sent from the admin area in all cases. This allows referrer-restricted content from third parties (such as images and fonts) to continue working in the admin area. Props aranwer104, qcmiao Fixes #43285 Built from https://develop.svn.wordpress.org/trunk@42830 git-svn-id: http://core.svn.wordpress.org/trunk@42660 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-admin/includes/misc.php | 8 +++++--- wp-includes/version.php | 2 +- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/wp-admin/includes/misc.php b/wp-admin/includes/misc.php index c462f85a4b..45a065d754 100644 --- a/wp-admin/includes/misc.php +++ b/wp-admin/includes/misc.php @@ -1146,15 +1146,17 @@ function wp_admin_canonical_url() { * @since 4.9.0 */ function wp_admin_headers() { - $policy = 'same-origin'; + $policy = 'strict-origin-when-cross-origin'; /** - * Filters the admin referrer policy header value. Default 'same-origin'. + * Filters the admin referrer policy header value. * * @since 4.9.0 + * @since 4.9.5 The default value was changed to 'strict-origin-when-cross-origin'. + * * @link https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy * - * @param string $policy The referrer policy header value. + * @param string $policy The admin referrer policy header value. Default 'strict-origin-when-cross-origin'. */ $policy = apply_filters( 'admin_referrer_policy', $policy ); diff --git a/wp-includes/version.php b/wp-includes/version.php index 4cf31c5f31..0f10c79805 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -4,7 +4,7 @@ * * @global string $wp_version */ -$wp_version = '5.0-alpha-42829'; +$wp_version = '5.0-alpha-42830'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.