From a4f6e8dadb73a4ca11c29acc000c7dd9369d7a92 Mon Sep 17 00:00:00 2001
From: John Blackbourn <johnbillion@git.wordpress.org>
Date: Mon, 12 Mar 2018 10:56:53 +0000
Subject: [PATCH] Security: Loosen the admin referrer policy header value to
 allow the referring host to be sent from the admin area in all cases.

This allows referrer-restricted content from third parties (such as images and fonts) to continue working in the admin area.

Props aranwer104, qcmiao

Fixes #43285


git-svn-id: https://develop.svn.wordpress.org/trunk@42830 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-admin/includes/misc.php | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/wp-admin/includes/misc.php b/src/wp-admin/includes/misc.php
index c462f85a4b..45a065d754 100644
--- a/src/wp-admin/includes/misc.php
+++ b/src/wp-admin/includes/misc.php
@@ -1146,15 +1146,17 @@ function wp_admin_canonical_url() {
  * @since 4.9.0
  */
 function wp_admin_headers() {
-	$policy = 'same-origin';
+	$policy = 'strict-origin-when-cross-origin';
 
 	/**
-	 * Filters the admin referrer policy header value. Default 'same-origin'.
+	 * Filters the admin referrer policy header value.
 	 *
 	 * @since 4.9.0
+	 * @since 4.9.5 The default value was changed to 'strict-origin-when-cross-origin'.
+	 *
 	 * @link https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
 	 *
-	 * @param string $policy The referrer policy header value.
+	 * @param string $policy The admin referrer policy header value. Default 'strict-origin-when-cross-origin'.
 	 */
 	$policy = apply_filters( 'admin_referrer_policy', $policy );