[wp-trac] [WordPress Trac] #62881: Strict referrer policy is breaking post/page passwords

WordPress Trac noreply at wordpress.org
Wed Jan 29 18:03:27 UTC 2025 

#62881: Strict referrer policy is breaking post/page passwords
------------------------------------+-----------------------------
 Reporter:  zodiac1978              |      Owner:  (none)
     Type:  defect (bug)            |     Status:  new
 Priority:  normal                  |  Milestone:  Awaiting Review
Component:  Login and Registration  |    Version:
 Severity:  normal                  |   Keywords:  needs-patch
  Focuses:                          |
------------------------------------+-----------------------------
 I hoped #62273 could have fixed this problem, but @johnbillion said this
 is not the case and asked me to open a new ticket
 [https://core.trac.wordpress.org/ticket/62273#comment:10 here]. So, here
 it is:

 If we password protect a post or page the password gets send to `/wp-
 login.php?action=postpass`

 The code can be seen on this link:
 https://github.com/WordPress/WordPress/blob/master/wp-login.php#L766-L797

 The problem is now this line:

 {{{
 wp_safe_redirect( wp_get_referer() );
 }}}

 If no referrer is there (or only the domain, but no path) the redirect is
 not working at all (White Screen of Death) or after entering the password
 you get redirected to the domain instead of the post/page (although the
 postpass cookie is now there and access is granted, you need to find the
 page again).

 This bug was first reported in the forums:
 https://wordpress.org/support/topic/password-protected-page-no-longer-
 working/

 Relevant documentation can be found here:
 https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy

 On Apache you can disable the referrer with these lines:

 {{{
 # Referrer-Policy
 <IfModule mod_headers.c>
         Header set Referrer-Policy "no-referrer"
 </IfModule>

 }}}

 or set to only send the domain (no path):


 {{{
 # Referrer-Policy
 <IfModule mod_headers.c>
         Header set Referrer-Policy "origin"
 </IfModule>
 }}}

 The suggested solution from @johnbillion in #62273 was this idea:

 > Seem like it would be easily solved by adding hidden redirect_to field
 in get_the_password_form().

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/62881>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list