[wp-trac] [WordPress Trac] #42036: Add same-origin referrer-policy header to WP Admin pages
WordPress Trac
noreply at wordpress.org
Fri Sep 29 20:19:49 UTC 2017
#42036: Add same-origin referrer-policy header to WP Admin pages
-------------------------+--------------------------
Reporter: joostdevalk | Owner: joostdevalk
Type: enhancement | Status: assigned
Priority: normal | Milestone: 4.9
Component: Security | Version:
Severity: normal | Resolution:
Keywords: has-patch | Focuses:
-------------------------+--------------------------
Comment (by QROkes):
Replying to [comment:3 joostdevalk]:
> Replying to [comment:2 QROkes]:
> > You should consider that some customized servers are sending this
header, so it could result in a duplicate header.
>
> Having the header twice will not undo it.
It's not that simple. HTTP RFC2616 available here says:
[https://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2]
"Multiple message-header fields with the same field-name MAY be present in
a message if and only if the entire field-value for that header field is
defined as a comma-separated list [i.e., #(values)]. It MUST be possible
to combine the multiple header fields into one "field-name: field-value"
pair, without changing the semantics of the message, by appending each
subsequent field-value to the first, each separated by a comma. The order
in which header fields with the same field-name are received is therefore
significant to the interpretation of the combined field value, and thus a
proxy MUST NOT change the order of these field values when a message is
forwarded. "
--
Ticket URL: <https://core.trac.wordpress.org/ticket/42036#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list