Index: wp-includes/class-wp-customize.php
===================================================================
--- wp-includes/class-wp-customize.php	(revision 20785)
+++ wp-includes/class-wp-customize.php	(working copy)
@@ -72,17 +72,15 @@
 			return;
 
 		$url = parse_url( admin_url() );
-		$allowed_origins = array( 'http://' . $url[ 'host' ],  'https://' . $url[ 'host' ] );
+		$allowed_origins = apply_filters( 'allowed_http_origins', array( 'http://' . $url[ 'host' ],  'https://' . $url[ 'host' ] ) );
 		// @todo preserve port?
-		if ( isset( $_SERVER[ 'HTTP_ORIGIN' ] ) && in_array( $_SERVER[ 'HTTP_ORIGIN' ], $allowed_origins ) ) {
-			$origin = $_SERVER[ 'HTTP_ORIGIN' ];
-		} else {
-			$origin = $url[ 'scheme' ] . '://' . $url[ 'host' ];
+		$origin = isset( $_SERVER[ 'HTTP_ORIGIN' ] ) ? $_SERVER[ 'HTTP_ORIGIN' ] : '';
+		$origin = apply_filters( 'http_origin', $origin );
+		if ( $origin && in_array( $origin, $allowed_origins ) ) {
+			@header( 'Access-Control-Allow-Origin: ' .  $origin );
+			@header( 'Access-Control-Allow-Credentials: true' );
 		}
 
-		@header( 'Access-Control-Allow-Origin: ' .  $origin );
-		@header( 'Access-Control-Allow-Credentials: true' );
-
 		$this->start_previewing_theme();
 		show_admin_bar( false );
 	}