Blank page if referrer-policy directive is set

  • Resolved acidstout

    (@acidstout)


    3 years, 9 months ago

    This happens at least to version 1.6.2. I did not check older versions.

    For testing I deactivated all other plugins.

    To reproduce:
    1. Make sure headers don’t send a referrer e.g., by adding this to your .htaccess file: “Header set Referrer-Policy: no-referrer”
    2. Reload the admin page in order to make the directive apply.
    3. Click the clear cache link in the admin’s top row. The cache is cleared, but you get redirected to a blank page. This does not happen, if you click the “Save and Clear Cache” button on the plugin’s options page or if the directive is not set.

    Please note that this directive can be set easily by plugins such as HTTP headers to improve web site security and users – especially the inexperienced ones – will likely be unaware of this issue.

    Also I think, there’s no much you can do about. Maybe check the .htaccess file for such directive and show a warning upon activation of the plugin. Or at least some explanation in the plugin’s description or readme file.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Anonymous User 16850768

    (@anonymized-16850768)

    You’re right, this would occur if no HTTP referer was available (cache_enabler.class.php#L922-L923). I will have this behavior improved to prevent this from occurring. Thank you for reporting this, it’s sincerely appreciated.

    Thread Starter acidstout

    (@acidstout)

    Thanks for your reply. I already came up with a working solution in the meantime.

    $uri = wp_get_referer();
if (empty($uri)) {
	$uri = isset( $_SERVER['REQUEST_URI'] ) ? esc_url_raw( wp_unslash( $_SERVER['REQUEST_URI'] ) ) : '';
	$uri = preg_replace( '|^.*/wp-admin/|i', '', $uri );

	if ( ! $uri ) {
		$uri = '';
	}

	$uri = remove_query_arg( array( '_wpnonce', '_action', '_cache' ), admin_url( $uri ) );
}
		
wp_safe_redirect( $uri );

    What do you think? Would that work for you?

    Anonymous User 16850768

    (@anonymized-16850768)

    That’s great! I’m happy to hear you were able to come up with a solution in the meantime. This has been fixed in PR #212 and will be released in the next version (1.7.0).

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Blank page if referrer-policy directive is set’ is closed to new replies.