“Referrer-Policy: no-referrer”

  • “Referrer-Policy: no-referrer” is set at our server/hosting level, which I think is the strictest and is set to keep things as secure as possible (if you disagree be great to hear why and if there’s a better setting we could request that other WP site owners use).

    This setting prevents core WP password protect pages from working. When you enter the password the user sees the white PHP screen with no error. I presume the WordPress password protect page needs the referrer? Should it really be using some kind of redirect instead? We proved this by amending /removing the Referrer-policy and the password page functionality worked.

    I found another password protected page plugin called “content-protector” which I tested and it gets around this problem (it must use an alternative to referrer). However, I am hoping I can find a way to make the core WordPress and config work rather than relying on another plugin.

    TIA, P26

    • This topic was modified 5 months, 1 week ago by phoenix26.
Viewing 2 replies - 1 through 2 (of 2 total)

  • Hello @phoenix26,

    I came across another user experiencing this issue a few weeks ago (reference).

    This behavior indeed occurs when the Referrer Policy is set to no-referrer as this drops the “HTTP_REFERER” value, and the code in wp-login.php that relies on it is therefore affected as well.

    Since using the no-referrer value for the Referrer Policy causes this issue, you may want to consider using strict-origin-when-cross-origin instead (which is also the browser default: https://web.dev/articles/referrer-best-practices#default).

    I hope that these insights are useful to you.

    Kind regards, Jarno

    Thread Starter phoenix26

    (@phoenix26)

    Thanks @jarnovos very useful indeed!

    Is there a case for raising a bug with WP to fix wp-login.php so it works in a different way or is it reasonable how it’s currently working with regards to the Referrer Policy setting?

    I appreciate this may be way down the line in terms of priority and the way it works currently maybe acceptable. I’m happy to ask if we can use the “strict-origin-when-cross-origin” , but I wanted to cover all bases as I imagine this will catch a lot of WP admins/users out…

    Thanks again ??

Viewing 2 replies - 1 through 2 (of 2 total)
  • You must be logged in to reply to this topic.