[wp-trac] [WordPress Trac] #27152: wp_get_referer() no longer reports off-site referrers
WordPress Trac
noreply at wordpress.org
Wed Mar 19 00:15:34 UTC 2014
#27152: wp_get_referer() no longer reports off-site referrers
----------------------------+--------------------
Reporter: bpetty | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: 3.9
Component: Bootstrap/Load | Version: 3.6.1
Severity: major | Resolution:
Keywords: | Focuses:
----------------------------+--------------------
Comment (by nacin):
The security team includes a number of lead developers (well, all of them)
as well as others who are known for their security and API acumen like
dd32 and duck_. Everyone signed off on this change. These changes are not
ones we make lightly, whether in public or in private. In this case, we
also factored in that dropping a referer would not be critical, especially
given how much they are already dropped in practice.
You may be right that it has diminished the need to use
wp_safe_redirect(). The fact of the matter was that core was doing it
wrong something like 40% of the time. If that's our track record, then we
cannot expect a plugin developer to be any better. Sometimes we go with
the scalpel; in this case, we chose the hammer.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/27152#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list