From fbd44ee5541ef4ce547a84c652288ec82d5e5075 Mon Sep 17 00:00:00 2001
From: John Blackbourn <johnbillion@git.wordpress.org>
Date: Wed, 4 Oct 2017 18:25:46 +0000
Subject: [PATCH] Security: Add a referrer policy header to the admin and login
 screens.

This sets a referrer policy of `same-origin` which adds hardening by preventing a referrer being sent from the admin area or login screens to other origins. This helps prevent unwanted exposure of potentially sensitive information that may be contained within URLs.

This change introduces a new filter, `admin_referrer_policy`, for filtering the referrer policy header value. The header can be disabled if necessary by removing the `wp_admin_headers` action from the `admin_init` and `login_init` hooks.

Props joostdevalk
Fixes #42036

Built from https://develop.svn.wordpress.org/trunk@41741


git-svn-id: http://core.svn.wordpress.org/trunk@41575 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-admin/includes/admin-filters.php |  2 ++
 wp-admin/includes/misc.php          | 21 +++++++++++++++++++++
 wp-includes/version.php             |  2 +-
 3 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/wp-admin/includes/admin-filters.php b/wp-admin/includes/admin-filters.php
index 7f94480d02..79751a4ef6 100644
--- a/wp-admin/includes/admin-filters.php
+++ b/wp-admin/includes/admin-filters.php
@@ -38,6 +38,8 @@ add_filter( 'media_upload_library', 'media_upload_library' );
 add_filter( 'media_upload_tabs', 'update_gallery_tab' );
 
 // Misc hooks.
+add_action( 'admin_init', 'wp_admin_headers'         );
+add_action( 'login_init', 'wp_admin_headers'         );
 add_action( 'admin_head', 'wp_admin_canonical_url'   );
 add_action( 'admin_head', 'wp_color_scheme_settings' );
 add_action( 'admin_head', 'wp_site_icon'             );
diff --git a/wp-admin/includes/misc.php b/wp-admin/includes/misc.php
index 21baaceaf5..c434b8d3ed 100644
--- a/wp-admin/includes/misc.php
+++ b/wp-admin/includes/misc.php
@@ -919,6 +919,27 @@ function wp_admin_canonical_url() {
 <?php
 }
 
+/**
+ * Send a referrer policy header so referrers are not sent externally from administration screens.
+ *
+ * @since 4.9.0
+ */
+function wp_admin_headers() {
+	$policy = 'same-origin';
+
+	/**
+	 * Filters the admin referrer policy header value. Default 'same-origin'.
+	 *
+	 * @since 4.9.0
+	 * @link https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
+	 *
+	 * @param string $policy The referrer policy header value.
+	 */
+	$policy = apply_filters( 'admin_referrer_policy', $policy );
+
+	header( sprintf( 'Referrer-Policy: %s', $policy ) );
+}
+
 /**
  * Outputs JS that reloads the page if the user navigated to it with the Back or Forward button.
  *
diff --git a/wp-includes/version.php b/wp-includes/version.php
index 37031d7b3c..3dae3c6ddf 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -4,7 +4,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '4.9-alpha-41740';
+$wp_version = '4.9-alpha-41741';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.