The wpEditImage TinyMCE plugin is broken when TinyMCE is served from another domain

[mdawaffe]

If TinyMCE is served from another domain (for example a CDN), the wpEditImage plugin tries to open the image editing iframe from that other domain. This breaks inter-iframe communication due to a violation in the same-origin policy.

The code is the same all the way back to 2.6, but I didn't verify the problem occurs there (TinyMCE's API may have changed since then).

Attached:

• Ensures the iframe is always served from the same origin as the parent page.
• Fixes the iframe cache busting.

Looks good at a glance here.

Was planning to switch from thickbox to a native MCE popup there which would also (probably) fix the same-origin violation. Lets commit that first and if this problem still exists, can patch it then.

In [19977]:

Use native TinyMCE popup for the image properties dialog, fixes #20096, see #20094

Replying to azaozz:

Lets commit that first and if this problem still exists, can patch it then.

Problem still exists :)

Replying to mdawaffe:

Problem still exists :)

In this case we would probably need to patch all TinyMCE popups/dialogs. In the default configuration there are six of them: font color/color picker, paste as text, paste from word, special characters, help and the image properties.

I vaguely remember something about cross-domain hack for MCE, perhaps there's a setting we can use to turn that on (will investigate further).

Replying to azaozz:

In this case we would probably need to patch all TinyMCE popups/dialogs. In the default configuration there are six of them: font color/color picker, paste as text, paste from word, special characters, help and the image properties.

Confirmed that these other iframe based dialogs also break (though if image properties is different than the wpEditImage dialog, I don't know where to find it).