Index: wp-includes/class-wp-customize.php
===================================================================
--- wp-includes/class-wp-customize.php	(revision 20738)
+++ wp-includes/class-wp-customize.php	(working copy)
@@ -71,6 +71,16 @@
 		if ( ! isset( $_REQUEST['customize'] ) || 'on' != $_REQUEST['customize'] )
 			return;
 
+		$url = parse_url( admin_url() );
+		$allowed_origins = array( 'http://' . $url[ 'host' ],  'https://' . $url[ 'host' ] );
+		// @todo preserve port?
+		if ( isset( $_SERVER[ 'HTTP_ORIGIN' ] ) && in_array( $_SERVER[ 'HTTP_ORIGIN' ], $allowed_origins ) )
+			$origin = $_SERVER[ 'HTTP_ORIGIN' ];
+		else
+			$origin = $url[ 'scheme' ] . '://' . $url[ 'host' ];
+
+		@header( 'Access-Control-Allow-Origin: ' .  $origin );
+
 		$this->start_previewing_theme();
 		show_admin_bar( false );
 	}