[wp-trac] [WordPress Trac] #43285: The default admin referrer policy header value block the access to media on other server in admin panel

WordPress Trac noreply at wordpress.org
Sun Feb 11 06:21:13 UTC 2018


#43285: The default admin referrer policy header value block the access to media on
other server in admin panel
----------------------------+-----------------------------
 Reporter:  qcmiao          |      Owner:
     Type:  defect (bug)    |     Status:  new
 Priority:  normal          |  Milestone:  Awaiting Review
Component:  Media           |    Version:  4.9
 Severity:  normal          |   Keywords:
  Focuses:  administration  |
----------------------------+-----------------------------
 As an update from #42036 and
 [https://core.trac.wordpress.org/changeset/41741 Changeset 41741]. The
 default `same-origin` referrer policy may block the access to media like
 pictures from the media panel and the editor when they are stored on
 another server and have white-list referrer rule. Although we can still
 see the correct pics in the article, it is still very inconvenient that we
 cannot see them when we manage them or edit articles. And if we allow
 none-referrer visits to the pic server, it will make the copyright of pics
 unsafe.

 So, I hope the default admin referrer policy can be changed. I think
 `strict-origin-when-cross-origin` is more suitable than `same-origin`. The
 `strict-origin-when-cross-origin` can also prevent other origins know the
 whole URL from admin panel.


 The code be reflected is in `wp-admin/includes/misc.php line.1148 function
 wp_admin_headers()`.

 {{{#!php
 /**
  * Send a referrer policy header so referrers are not sent externally from
 administration screens.
  *
  * @since 4.9.0
  */
 function wp_admin_headers() {
         $policy = 'same-origin';

         /**
          * Filters the admin referrer policy header value. Default 'same-
 origin'.
          *
          * @since 4.9.0
          * @link https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers
 /Referrer-Policy
          *
          * @param string $policy The referrer policy header value.
          */
         $policy = apply_filters( 'admin_referrer_policy', $policy );

         header( sprintf( 'Referrer-Policy: %s', $policy ) );
 }

 }}}

--
Ticket URL: <https://core.trac.wordpress.org/ticket/43285>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list