IntenseWebs/WordPress
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Customizer: Improve browser compatibility of the preview iframe.

Browse Source 
When `home` and `siteurl` are different, the customizer preview iframe will be blank in Chrome and Safari, due to their `X-Frame-Options` implementation quirks.

Changing this to `SAMEORIGIN` and adding the `frame-ancestors` Content Security Policy gives the correct behaviour.

Props fullyint.
Fixes #40020.


Built from https://develop.svn.wordpress.org/trunk@44580


git-svn-id: http://core.svn.wordpress.org/trunk@44411 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Gary Pendergast
2019-01-14 06:38:51 +00:00
parent 10c66fb426
commit d8f4a04232
2 changed files with 3 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
wp-includes/class-wp-customize-manager.php
View File

@@ -1896,9 +1896,8 @@ final class WP_Customize_Manager {
* @return array Headers.
*/
public function filter_iframe_security_headers( $headers ) {
$customize_url = admin_url( 'customize.php' );
$headers['X-Frame-Options'] = 'ALLOW-FROM ' . $customize_url;
$headers['Content-Security-Policy'] = 'frame-ancestors ' . preg_replace( '#^(\w+://[^/]+).+?$#', '$1', $customize_url );
$headers['X-Frame-Options'] = 'SAMEORIGIN';
$headers['Content-Security-Policy'] = "frame-ancestors 'self'";
return $headers;
}