Security: Enable the referrer policy header on the login screen.

johnbillion · johnbillion · commit 1b57f98088f6 · 2025-01-27T14:39:18.000Z
This sets the same referrer policy of `strict-origin-when-cross-origin` that's used in the admin area to prevent a referrer being sent to other origins. This helps prevent unwanted exposure of potentially sensitive information that may be contained within the URL. The header can be disabled if necessary by removing the `wp_admin_headers` action from the `login_init` hook. Props kkmuffme, sagarlakhani, albatross10 Fixes #62273 See #42036 git-svn-id: https://develop.svn.wordpress.org/trunk@59712 602fd350-edb4-49c9-b593-d223f7449a82
diff --git a/src/wp-admin/includes/admin-filters.php b/src/wp-admin/includes/admin-filters.php
@@ -44,7 +44,6 @@
 
 // Misc hooks.
 add_action( 'admin_init', 'wp_admin_headers' );
-add_action( 'login_init', 'wp_admin_headers' );
 add_action( 'admin_init', 'send_frame_options_header', 10, 0 );
 add_action( 'admin_head', 'wp_admin_canonical_url' );
 add_action( 'admin_head', 'wp_site_icon' );
diff --git a/src/wp-admin/includes/misc.php b/src/wp-admin/includes/misc.php
@@ -1415,29 +1415,6 @@ function wp_admin_canonical_url() {
 	<?php
 }
 
-/**
- * Sends a referrer policy header so referrers are not sent externally from administration screens.
- *
- * @since 4.9.0
- */
-function wp_admin_headers() {
-	$policy = 'strict-origin-when-cross-origin';
-
-	/**
-	 * Filters the admin referrer policy header value.
-	 *
-	 * @since 4.9.0
-	 * @since 4.9.5 The default value was changed to 'strict-origin-when-cross-origin'.
-	 *
-	 * @link https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
-	 *
-	 * @param string $policy The admin referrer policy header value. Default 'strict-origin-when-cross-origin'.
-	 */
-	$policy = apply_filters( 'admin_referrer_policy', $policy );
-
-	header( sprintf( 'Referrer-Policy: %s', $policy ) );
-}
-
 /**
  * Outputs JS that reloads the page if the user navigated to it with the Back or Forward button.
  *
diff --git a/src/wp-includes/default-filters.php b/src/wp-includes/default-filters.php
@@ -389,6 +389,7 @@
 add_action( 'login_head', 'wp_site_icon', 99 );
 add_action( 'login_footer', 'wp_print_footer_scripts', 20 );
 add_action( 'login_init', 'send_frame_options_header', 10, 0 );
+add_action( 'login_init', 'wp_admin_headers' );
 
 // Feed generator tags.
 foreach ( array( 'rss2_head', 'commentsrss2_head', 'rss_head', 'rdf_header', 'atom_head', 'comments_atom_head', 'opml_head', 'app_head' ) as $action ) {
diff --git a/src/wp-includes/functions.php b/src/wp-includes/functions.php
@@ -7144,6 +7144,30 @@ function send_frame_options_header() {
 	header( 'X-Frame-Options: SAMEORIGIN' );
 }
 
+/**
+ * Sends a referrer policy header so referrers are not sent externally from administration screens.
+ *
+ * @since 4.9.0
+ * @since 6.8.0 This function was moved from `wp-admin/includes/misc.php` to `wp-includes/functions.php`.
+ */
+function wp_admin_headers() {
+	$policy = 'strict-origin-when-cross-origin';
+
+	/**
+	 * Filters the admin referrer policy header value.
+	 *
+	 * @since 4.9.0
+	 * @since 4.9.5 The default value was changed to 'strict-origin-when-cross-origin'.
+	 *
+	 * @link https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
+	 *
+	 * @param string $policy The admin referrer policy header value. Default 'strict-origin-when-cross-origin'.
+	 */
+	$policy = apply_filters( 'admin_referrer_policy', $policy );
+
+	header( sprintf( 'Referrer-Policy: %s', $policy ) );
+}
+
 /**
  * Retrieves a list of protocols to allow in HTML attributes.
  *
