Upstream/WordPress
1
0
Fork 0
mirror of https://github.com/WordPress/WordPress.git synced 2024-09-24 21:32:51 +02:00
Code Issues Projects Releases Wiki Activity

Security: Add a referrer policy header to the admin and login screens.

Browse Source 
This sets a referrer policy of `same-origin` which adds hardening by preventing a referrer being sent from the admin area or login screens to other origins. This helps prevent unwanted exposure of potentially sensitive information that may be contained within URLs.

This change introduces a new filter, `admin_referrer_policy`, for filtering the referrer policy header value. The header can be disabled if necessary by removing the `wp_admin_headers` action from the `admin_init` and `login_init` hooks.

Props joostdevalk
Fixes #42036

Built from https://develop.svn.wordpress.org/trunk@41741


git-svn-id: http://core.svn.wordpress.org/trunk@41575 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
John Blackbourn 2017-10-04 18:25:46 +00:00
parent c03b283f37
commit fbd44ee554
3 changed files with 24 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
wp-admin/includes/admin-filters.php
View File

@ -38,6 +38,8 @@ add_filter( 'media_upload_library', 'media_upload_library' );
add_filter( 'media_upload_tabs', 'update_gallery_tab' ); add_filter( 'media_upload_tabs', 'update_gallery_tab' );
// Misc hooks. // Misc hooks.
add_action( 'admin_init', 'wp_admin_headers' );
add_action( 'login_init', 'wp_admin_headers' );
add_action( 'admin_head', 'wp_admin_canonical_url' ); add_action( 'admin_head', 'wp_admin_canonical_url' );
add_action( 'admin_head', 'wp_color_scheme_settings' ); add_action( 'admin_head', 'wp_color_scheme_settings' );
add_action( 'admin_head', 'wp_site_icon' ); add_action( 'admin_head', 'wp_site_icon' );

21
wp-admin/includes/misc.php
View File

@ -919,6 +919,27 @@ function wp_admin_canonical_url() {
<?php <?php
} }
/**
* Send a referrer policy header so referrers are not sent externally from administration screens.
*
* @since 4.9.0
*/
function wp_admin_headers() {
$policy = 'same-origin';
/**
* Filters the admin referrer policy header value. Default 'same-origin'.
*
* @since 4.9.0
* @link https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
*
* @param string $policy The referrer policy header value.
*/
$policy = apply_filters( 'admin_referrer_policy', $policy );
header( sprintf( 'Referrer-Policy: %s', $policy ) );
}
/** /**
* Outputs JS that reloads the page if the user navigated to it with the Back or Forward button. * Outputs JS that reloads the page if the user navigated to it with the Back or Forward button.
* *

2
wp-includes/version.php
View File

@ -4,7 +4,7 @@
* *
* @global string $wp_version * @global string $wp_version
*/ */
$wp_version = '4.9-alpha-41740'; $wp_version = '4.9-alpha-41741';
/** /**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema. * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.