Index: wp-includes/class-wp-customize.php
===================================================================
--- wp-includes/class-wp-customize.php	(revision 20782)
+++ wp-includes/class-wp-customize.php	(working copy)
@@ -71,12 +71,9 @@
 		if ( ! isset( $_REQUEST['customize'] ) || 'on' != $_REQUEST['customize'] )
 			return;
 
-		$url = parse_url( admin_url() );
-		$allowed_origins = array( 'http://' . $url[ 'host' ],  'https://' . $url[ 'host' ] );
-		// @todo preserve port?
-		if ( isset( $_SERVER[ 'HTTP_ORIGIN' ] ) && in_array( $_SERVER[ 'HTTP_ORIGIN' ], $allowed_origins ) ) {
-			$origin = $_SERVER[ 'HTTP_ORIGIN' ];
-		} else {
+		if ( ! $origin = get_allowed_http_origin() ) {
+			// @todo Maybe kill this fallback since fallbacks aren't to spec.
+			$url = parse_url( admin_url() );
 			$origin = $url[ 'scheme' ] . '://' . $url[ 'host' ];
 		}
 
Index: wp-includes/http.php
===================================================================
--- wp-includes/http.php	(revision 20782)
+++ wp-includes/http.php	(working copy)
@@ -222,3 +222,35 @@
 
 	return (bool) $objFetchSite->_get_first_available_transport( $capabilities );
 }
+
+function get_http_origin() {
+	$origin = '';
+	if ( ! empty ( $_SERVER[ 'HTTP_ORIGIN' ] ) )
+		$origin = $_SERVER[ 'HTTP_ORIGIN' ];
+
+	return apply_filters( 'http_origin', $origin );
+}
+
+function get_allowed_http_origins() {
+	$admin_origin = parse_url( admin_url() );
+	$home_origin = parse_url( home_url() );
+
+	// @todo preserve port?
+	$allowed_origins = array(
+						'http://' . $admin_origin[ 'host' ],
+						'https://' . $admin_origin[ 'host' ],
+						'http://' . $home_origin[ 'host' ],
+						'https://' . $home_origin[ 'host' ],
+						);
+
+	return apply_filters( 'allowed_http_origins' , $allowed_origins );
+}
+
+function get_allowed_http_origin() {
+	$origin = get_http_origin();
+
+	if ( $origin && ! in_array( $origin, get_allowed_http_origins() ) )
+		$origin = '';
+
+	return apply_filters( 'allowed_http_origin', $origin );
+}
\ No newline at end of file