[wp-trac] [WordPress Trac] #47788: send_headers hook does not work in wp-login or wp-admin

Fri Aug 2 08:52:14 UTC 2019

#47788: send_headers hook does not work in wp-login or wp-admin
------------------------------------+--------------------------------------
 Reporter:  kysymysteke             |       Owner:  (none)
     Type:  defect (bug)            |      Status:  new
 Priority:  normal                  |   Milestone:  Awaiting Review
Component:  Administration          |     Version:  5.2.2
 Severity:  normal                  |  Resolution:
 Keywords:  needs-patch 2nd-        |     Focuses:  administration, privacy
  opinion                           |
------------------------------------+--------------------------------------

Comment (by thelmachido):

 Replying to [ticket:47788 kysymysteke]:
 > Assume that I want to start using CSP (Content Security Policy) on my
 website. I add this to my theme's functions.php:
 >
 > {{{#!php
 > <?php
 > add_action('send_headers', 'set_CSP_header');
 >
 > function set_CSP_header() {
 >  $CSP = "Content-Security-Policy: default-src 'self';";
 >  header($CSP);
 > }
 > }}}
 >
 > You would assume that this would add the CSP everywhere on the website,
 but that is not so. This does NOT add the CSP header to wp-login or wp-
 admin. Instead website admins have to use the 'login_init' and
 'admin_init' hooks in addition to 'send_headers', to get CSP everywhere on
 the website.
 >
 > This is unintuitive and seems like a bug to me.

 Hi @kysymysteke ,

 Here is another option...
 In my opinion the best way to add protection and security to a website is
 by using the .htaccess
 From my understanding the most advised way of adding CSP to WordPress is
 by adding CSP rules to the .htaccess file, bear in mind that for this to
 work your web server must have the headers module activated. Add the code
 below to your .htaccess file.

 {{{#!php
 <?php
 <IfModule mod_headers.c>
 Header set Content-Security-Policy "default-src 'self'; img-src 'self'
 http: https: *.gravatar.com;"
 </IfModule
 }}}

 This allows anything to be loaded from the website plus images from the
 specified domain (gravatar.com)
 over http & https. Anything else will be blocked by your browser.

 Anyhoo this then blocks loading of JavaScript, images or data from other
 trusted domains e.g plugins so you will need to approve trusted domains
 using 'unsafe-inline' . For instance say you want to use Google Analytics
 you add the code below:-

 {{{#!php
 <?php
 scrip-src 'self' 'unsafe-inline' http: https: *.google-analytics.com;.
 }}}

 Adding CSP on your website will break your back-end so you need to add the
 following rules to the .htaccess file in the wp-admin folder.

 {{{#!php
 <?php
 <IfModule mod_headers.c>
 Header set Content-Security-Policy "default-src 'self'; img-src 'self'
 data: http: https: *.gravatar.com; script-src 'self' 'unsafe-inline'
 'unsafe-eval'; style-src 'self' 'unsafe-inline' http: https:
 fonts.googleapis.com; font-src 'self' data: http: https:
 fonts.googleapis.com themes.googleusercontent.com;"
 </IfModule>
 }}}
  An alternative would be to disable CSP rules on your admin area but l
 guess in your case that's not an option.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/47788#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform