sergiotarxz/Wordpress
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Security: Loosen the admin referrer policy header value to allow the referring host to be sent from the admin area in all cases.

Browse Source 
This allows referrer-restricted content from third parties (such as images and fonts) to continue working in the admin area.

Props aranwer104, qcmiao

Fixes #43285


git-svn-id: https://develop.svn.wordpress.org/trunk@42830 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
John Blackbourn 2018-03-12 10:56:53 +00:00
parent 36d237cc13
commit a4f6e8dadb
1 changed files with 5 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/wp-admin/includes/misc.php
View File

@ -1146,15 +1146,17 @@ function wp_admin_canonical_url() {
* @since 4.9.0 * @since 4.9.0
*/ */
function wp_admin_headers() { function wp_admin_headers() {
$policy = 'same-origin'; $policy = 'strict-origin-when-cross-origin';
/** /**
* Filters the admin referrer policy header value. Default 'same-origin'. * Filters the admin referrer policy header value.
* *
* @since 4.9.0 * @since 4.9.0
* @since 4.9.5 The default value was changed to 'strict-origin-when-cross-origin'.
*
* @link https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy * @link https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
* *
* @param string $policy The referrer policy header value. * @param string $policy The admin referrer policy header value. Default 'strict-origin-when-cross-origin'.
*/ */
$policy = apply_filters( 'admin_referrer_policy', $policy ); $policy = apply_filters( 'admin_referrer_policy', $policy );