Security: Loosen the admin referrer policy header value to allow the referring host to be sent from the admin area in all cases.

This allows referrer-restricted content from third parties (such as images and fonts) to continue working in the admin area. Props aranwer104, qcmiao Fixes #43285 Built from https://develop.svn.wordpress.org/trunk@42830 git-svn-id: http://core.svn.wordpress.org/trunk@42660 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-03-12 10:57:35 +00:00 · 2018-03-12 10:57:35 +00:00 · d7025e7787
parent 42b03122b5
commit d7025e7787
2 changed files with 6 additions and 4 deletions
--- a/wp-admin/includes/misc.php
+++ b/wp-admin/includes/misc.php
@ -1146,15 +1146,17 @@ function wp_admin_canonical_url() {
 * @since 4.9.0
 */
 function wp_admin_headers() {
-	$policy = 'same-origin';
+	$policy = 'strict-origin-when-cross-origin';

 	/**
-	 * Filters the admin referrer policy header value. Default 'same-origin'.
+	 * Filters the admin referrer policy header value.
 	 *
 	 * @since 4.9.0
+	 * @since 4.9.5 The default value was changed to 'strict-origin-when-cross-origin'.
+	 *
 	 * @link https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
 	 *
-	 * @param string $policy The referrer policy header value.
+	 * @param string $policy The admin referrer policy header value. Default 'strict-origin-when-cross-origin'.
 	 */
 	$policy = apply_filters( 'admin_referrer_policy', $policy );

--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@ -4,7 +4,7 @@
 *
 * @global string $wp_version
 */
-$wp_version = '5.0-alpha-42829';
+$wp_version = '5.0-alpha-42830';

 /**
 * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.