Make WordPress Core

Ticket #40020: 40020.2.diff

File 40020.2.diff, 1.8 KB (added by fullyint, 7 years ago)
  • src/wp-includes/class-wp-customize-manager.php

     
    18951895         * @return array Headers.
    18961896         */
    18971897        public function filter_iframe_security_headers( $headers ) {
    1898                 $customize_url                      = admin_url( 'customize.php' );
    1899                 $headers['X-Frame-Options']         = 'ALLOW-FROM ' . $customize_url;
    1900                 $headers['Content-Security-Policy'] = 'frame-ancestors ' . preg_replace( '#^(\w+://[^/]+).+?$#', '$1', $customize_url );
     1898                $headers['X-Frame-Options']         = 'SAMEORIGIN';
     1899                $headers['Content-Security-Policy'] = "frame-ancestors 'self'";
    19011900                return $headers;
    19021901        }
    19031902
  • tests/phpunit/tests/customize/manager.php

     
    846846         * Test WP_Customize_Manager::filter_iframe_security_headers().
    847847         *
    848848         * @ticket 30937
     849         * @ticket 40020
    849850         * @covers WP_Customize_Manager::filter_iframe_security_headers()
    850851         */
    851852        function test_filter_iframe_security_headers() {
    852                 $customize_url = admin_url( 'customize.php' );
    853853                $wp_customize  = new WP_Customize_Manager();
    854854                $headers       = $wp_customize->filter_iframe_security_headers( array() );
    855855                $this->assertArrayHasKey( 'X-Frame-Options', $headers );
    856856                $this->assertArrayHasKey( 'Content-Security-Policy', $headers );
    857                 $this->assertEquals( "ALLOW-FROM $customize_url", $headers['X-Frame-Options'] );
     857                $this->assertEquals( 'SAMEORIGIN', $headers['X-Frame-Options'] );
     858                $this->assertEquals( "frame-ancestors 'self'", $headers['Content-Security-Policy'] );
    858859        }
    859860
    860861        /**