Index: wp-includes/class-wp-customize.php
===================================================================
--- wp-includes/class-wp-customize.php	(revision 50541)
+++ wp-includes/class-wp-customize.php	(working copy)
@@ -71,6 +71,18 @@
 		if ( ! isset( $_REQUEST['customize'] ) || 'on' != $_REQUEST['customize'] )
 			return;
 
+		$url = parse_url( admin_url() );
+		$allowed_origins = array( 'http://' . $url[ 'host' ],  'https://' . $url[ 'host' ] );
+		// @todo preserve port?
+		if ( isset( $_SERVER[ 'HTTP_ORIGIN' ] ) && in_array( $_SERVER[ 'HTTP_ORIGIN' ], $allowed_origins ) ) {
+			$origin = $_SERVER[ 'HTTP_ORIGIN' ];
+		} else {
+			$origin = $url[ 'scheme' ] . '://' . $url[ 'host' ];
+		}
+
+		@header( 'Access-Control-Allow-Origin: ' .  $origin );
+		@header( 'Access-Control-Allow-Credentials: true' );
+
 		$this->start_previewing_theme();
 		show_admin_bar( false );
 	}
Index: wp-includes/js/customize-controls.dev.js
===================================================================
--- wp-includes/js/customize-controls.dev.js	(revision 50541)
+++ wp-includes/js/customize-controls.dev.js	(working copy)
@@ -343,15 +343,22 @@
 			if ( this.request )
 				this.request.abort();
 
-			this.request = $.post( this.url(), this.query() || {}, function( response ) {
-				var iframe = self.loader()[0].contentWindow;
+			this.request = $.ajax( this.url(), {
+				type: 'POST',
+				data: this.query() || {},
+				success: function( response ) {
+					var iframe = self.loader()[0].contentWindow;
 
-				self.loader().one( 'load', self.loaded );
+					self.loader().one( 'load', self.loaded );
 
-				iframe.document.open();
-				iframe.document.write( response );
-				iframe.document.close();
-			});
+					iframe.document.open();
+					iframe.document.write( response );
+					iframe.document.close();
+				},
+				xhrFields: {
+					withCredentials: true
+				}
+			} );
 		}
 	});