[wp-trac] [WordPress Trac] #49136: White screen in password protected posts, referrer policy

WordPress Trac noreply at wordpress.org
Sun Jan 5 17:19:32 UTC 2020 

#49136: White screen in password protected posts, referrer policy
-------------------------------+-----------------------------
 Reporter:  derfuchs98         |      Owner:  (none)
     Type:  defect (bug)       |     Status:  new
 Priority:  normal             |  Milestone:  Awaiting Review
Component:  Posts, Post Types  |    Version:  5.3.2
 Severity:  normal             |   Keywords:
  Focuses:  accessibility      |
-------------------------------+-----------------------------
 **Background**

 Under some circumstances WP is displaying a white screen refering to URL
 ..../wp-login.php?action=postpass after entering either correct or
 incorrect password into password protected posts. It turns out this
 behaviour occurs reproducably in case WP site is set to no-referrer policy
 e.g. by Nginx configuration. This behaviour was observed since about July
 last year.


 **Steps to reproduce**

 1. Force no-referrer policy in Nginx .conf file

  add_header Referrer-Policy no-referrer;
  service nginx restart

 2. Protect any post by password

 3. Verify no-referrer policy in e.g. Chrome F12->network

 4. Enter password into your password protected post

 5. /wp-login.php?action=postpass white screen pops up, no error message,
 no debugg hints.

 These steps reproduce in any WP configuration (under ubuntu server 18.04
 LTS, LEMP stack) with or without themes/plugins. Exception: Safari and
 Edge (as of August last year) do not show white screenn. Reason: These
 browsers do not support referrer policy.

 **Work around**

 Set referrer policy to any other policy than no-referrer. In my case
 strict-origin-when-cross-origin did the job.

 **Suggestion**

 This issue might not be too common but it might become more relevant due
 to GDPR in Europe.

 It seems that wp-login.php requires a reference to the calling URL to be
 able to redirect to that URL after verifying the password. In case of no-
 referrer policy this reference is not disclosed, hence wp-login.php cannot
 return to its caller.

 If that is the case in order to ensure stable operation of password
 protected posts WP must not allow no-referrer policy but should force any
 other secure policy.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/49136>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list