Referrer-Policy None breaks password protected pages
-
When you have a page in WordPress which has visibility set as “password protected”, having the Referrer-Policy option in apocalypse meow set to NONE prevents the page from loading when a user inputs a correct password. I thought it could be useful for you to either place this information in the tool-tip or even better fix the behaviour so it loads the page.
Info:
WordPress 5.7.2
apocalypse meow version 21.7.2Password tech (wordpress built-in)
-
Never mind about the theme, @solex. The problem is with the WP Core.
The post-password form doesn’t contain any information about the post being visited; it’s just the password field. The generic
wp-login.phpendpoint handling those requests just blindly shoves a hash of the typed password into a cookie, then tries to work backwards to figure out where the user came from by checking the referral header. (This is the bit thatNoneis breaking for you.)It’s a very curious design.
Unfortunately this isn’t something Apocalypse Meow can really fix, but I did push a small update, adding information about the possible incompatibility to the
referrer-policyinfo box.If you have the option to mark your posts “private” rather than “password protected”, I would recommend doing that instead. WordPress’ password protection feature is sketchy. Form weirdness aside, post passwords are stored in plain text in the database and the posts themselves are marked “publish” just like public posts, making it really easy for a theme or plugin to accidentally leak their content.
- The topic ‘Referrer-Policy None breaks password protected pages’ is closed to new replies.
