[wp-trac] [WordPress Trac] #47788: send_headers hook does not work in wp-login or wp-admin
WordPress Trac
noreply at wordpress.org
Sun Jul 28 10:18:17 UTC 2019
#47788: send_headers hook does not work in wp-login or wp-admin
-------------------------------------+-------------------------------------
Reporter: kysymysteke | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version: 5.2.2
Severity: normal | Keywords: needs-patch 2nd-opinion
Focuses: administration, privacy |
-------------------------------------+-------------------------------------
Assume that I want to start using CSP (Content Security Policy) on my
website. I add this to my theme's functions.php:
{{{#!php
<?php
add_action('send_headers', 'set_CSP_header');
function set_CSP_header() {
$CSP = "Content-Security-Policy: default-src 'self';";
header($CSP);
}
}}}
You would assume that this would add the CSP everywhere on the website,
but that is not so. This does NOT add the CSP header to wp-login or wp-
admin. Instead website admins have to use the 'login_init' and
'admin_init' hooks in addition to 'send_headers', to get CSP everywhere on
the website.
This is unintuitive and seems like a bug to me.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/47788>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list