[wp-trac] [WordPress Trac] #42036: Add same-origin referrer-policy header to WP Admin pages
WordPress Trac
noreply at wordpress.org
Fri Sep 29 18:40:56 UTC 2017
#42036: Add same-origin referrer-policy header to WP Admin pages
-------------------------+-----------------------
Reporter: joostdevalk | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: 4.9
Component: General | Version:
Severity: normal | Keywords: has-patch
Focuses: |
-------------------------+-----------------------
When a user clicks a link in the WP-Admin and goes to another site, the
http referrer gets set. That means that site can see in their analytics
and in their access logs where the user came from. This means that the
location of people's wp-admin folders isn't kept safe. Especially if
plugins add important data to the URL, that data is also not kept safe.
The above is why I'm suggesting implementing a referrer-policy header.
This header, when set to same-origin, prevents the browser from sending
the referrer when going to another site. The referrer _is_ sent when you
from one page to the other in the admin, so we can keep using that
reliably.
More info:
- https://scotthelme.co.uk/a-new-security-header-referrer-policy/
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-
Policy
--
Ticket URL: <https://core.trac.wordpress.org/ticket/42036>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list