Skip to content

Admin Bar: Prevent cache poisoning from device-specific mobile class #11729

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Sukhendu2002 wants to merge 2 commits into
base: trunk
Choose a base branch
from
+55 −2
Open

Admin Bar: Prevent cache poisoning from device-specific mobile class #11729

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
99e9df0
Admin Bar: Prevent cache poisoning from device-specific classes
Sukhendu2002 May 6, 2026
f674617
Merge branch 'trunk' into fix/28117-admin-bar-cache-poisoning
Sukhendu2002 May 6, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 5 additions & 2 deletions src/wp-includes/class-wp-admin-bar.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -463,9 +463,12 @@ final protected function _render( $root ) {
/*
* Add browser classes.
* We have to do this here since admin bar shows on the front end.
* The 'mobile' class is only added for logged-in users to avoid cache poisoning:
* logged-out pages are commonly served from a full-page cache, so a device-specific
* class set by the first visitor would be served to all subsequent visitors.
*/
$class = 'nojq nojs';
if ( wp_is_mobile() ) {
$class = 'nojs';
if ( is_user_logged_in() && wp_is_mobile() ) {
$class .= ' mobile';
}

Expand Down
50 changes: 50 additions & 0 deletions tests/phpunit/tests/adminbar.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -822,6 +822,56 @@ public function test_proto_property_is_not_defined() {
$this->assertFalse( isset( $admin_bar->proto ), 'WP_Admin_Bar::$proto should not be defined.' );
}

/**
* Tests that the 'mobile' class is not added to the admin bar for logged-out users on mobile,
* preventing cache poisoning when full-page caching is active.
*
* @ticket 28117
* @covers WP_Admin_Bar::render
*/
public function test_admin_bar_does_not_add_mobile_class_for_logged_out_users() {
add_filter( 'wp_is_mobile', '__return_true' );

$admin_bar = new WP_Admin_Bar();
$admin_bar_html = get_echo( array( $admin_bar, 'render' ) );

remove_filter( 'wp_is_mobile', '__return_true' );

$this->assertStringNotContainsString( 'class="nojs mobile"', $admin_bar_html, 'The "mobile" class should not be present for logged-out users.' );
}

/**
* Tests that the 'mobile' class is added to the admin bar for logged-in users on mobile.
*
* @ticket 28117
* @covers WP_Admin_Bar::render
*/
public function test_admin_bar_adds_mobile_class_for_logged_in_users_on_mobile() {
wp_set_current_user( self::$admin_id );
add_filter( 'wp_is_mobile', '__return_true' );

$admin_bar = new WP_Admin_Bar();
$admin_bar_html = get_echo( array( $admin_bar, 'render' ) );

remove_filter( 'wp_is_mobile', '__return_true' );
wp_set_current_user( 0 );

$this->assertStringContainsString( 'class="nojs mobile"', $admin_bar_html, 'The "mobile" class should be present for logged-in users on mobile.' );
}

/**
* Tests that the 'nojq' class is never present in the admin bar output.
*
* @ticket 28117
* @covers WP_Admin_Bar::render
*/
public function test_admin_bar_does_not_output_nojq_class() {
$admin_bar = new WP_Admin_Bar();
$admin_bar_html = get_echo( array( $admin_bar, 'render' ) );

$this->assertStringNotContainsString( 'nojq', $admin_bar_html, 'The "nojq" class should not be present in the admin bar output.' );
}

/**
* This test ensures that WP_Admin_Bar::$menu is declared as a "regular" class property.
*
Expand Down
Loading