Ticket #20507: 20507.5.diff

Index: wp-includes/class-wp-customize.php
===================================================================
--- wp-includes/class-wp-customize.php  (revision 20782)
+++ wp-includes/class-wp-customize.php  (working copy)
@@ -71,12 +71,9 @@
                if ( ! isset( $_REQUEST['customize'] ) || 'on' != $_REQUEST['customize'] )
                        return;
 
-               $url = parse_url( admin_url() );
-               $allowed_origins = array( 'http://' . $url[ 'host' ],  'https://' . $url[ 'host' ] );
-               // @todo preserve port?
-               if ( isset( $_SERVER[ 'HTTP_ORIGIN' ] ) && in_array( $_SERVER[ 'HTTP_ORIGIN' ], $allowed_origins ) ) {
-                       $origin = $_SERVER[ 'HTTP_ORIGIN' ];
-               } else {
+               if ( ! $origin = get_allowed_http_origin() ) {
+                       // @todo Maybe kill this fallback since fallbacks aren't to spec.
+                       $url = parse_url( admin_url() );
                        $origin = $url[ 'scheme' ] . '://' . $url[ 'host' ];
                }
 
Index: wp-includes/http.php
===================================================================
--- wp-includes/http.php        (revision 20782)
+++ wp-includes/http.php        (working copy)
@@ -222,3 +222,35 @@
 
        return (bool) $objFetchSite->_get_first_available_transport( $capabilities );
 }
+
+function get_http_origin() {
+       $origin = '';
+       if ( ! empty ( $_SERVER[ 'HTTP_ORIGIN' ] ) )
+               $origin = $_SERVER[ 'HTTP_ORIGIN' ];
+
+       return apply_filters( 'http_origin', $origin );
+}
+
+function get_allowed_http_origins() {
+       $admin_origin = parse_url( admin_url() );
+       $home_origin = parse_url( home_url() );
+
+       // @todo preserve port?
+       $allowed_origins = array(
+                                               'http://' . $admin_origin[ 'host' ],
+                                               'https://' . $admin_origin[ 'host' ],
+                                               'http://' . $home_origin[ 'host' ],
+                                               'https://' . $home_origin[ 'host' ],
+                                               );
+
+       return apply_filters( 'allowed_http_origins' , $allowed_origins );
+}
+
+function get_allowed_http_origin() {
+       $origin = get_http_origin();
+
+       if ( $origin && ! in_array( $origin, get_allowed_http_origins() ) )
+               $origin = '';
+
+       return apply_filters( 'allowed_http_origin', $origin );
+}
\ No newline at end of file