Make WordPress Core

Changeset 20741


Ignore:
Timestamp:
05/08/2012 08:13:34 PM (13 years ago)
Author:
koopersmith
Message:

Theme Customizer: Add cross-domain handling for when the admin and front-end are different origins. Handles both ajax and postMessage calls. props rboren, mdawaffe, nacin. see #20507, #19910.

Location:
trunk/wp-includes
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-includes/class-wp-customize.php

    r20737 r20741  
    7272            return;
    7373
     74        $url = parse_url( admin_url() );
     75        $allowed_origins = array( 'http://' . $url[ 'host' ],  'https://' . $url[ 'host' ] );
     76        // @todo preserve port?
     77        if ( isset( $_SERVER[ 'HTTP_ORIGIN' ] ) && in_array( $_SERVER[ 'HTTP_ORIGIN' ], $allowed_origins ) ) {
     78            $origin = $_SERVER[ 'HTTP_ORIGIN' ];
     79        } else {
     80            $origin = $url[ 'scheme' ] . '://' . $url[ 'host' ];
     81        }
     82
     83        @header( 'Access-Control-Allow-Origin: ' .  $origin );
     84        @header( 'Access-Control-Allow-Credentials: true' );
     85
    7486        $this->start_previewing_theme();
    7587        show_admin_bar( false );
     
    199211    public function customize_preview_settings() {
    200212        $settings = array(
    201             // @todo: Perhaps grab the URL via $_POST?
    202             'parent' => esc_url( admin_url( 'themes.php' ) ),
    203213            'values' => array(),
    204214        );
  • trunk/wp-includes/js/customize-controls.dev.js

    r20737 r20741  
    312312            api.Messenger.prototype.initialize.call( this, params.url );
    313313
     314            // We're dynamically generating the iframe, so the origin is set
     315            // to the current window's location, not the url's.
     316            this.origin.unlink( this.url ).set( window.location.href );
     317
    314318            this.bind( 'url', function( url ) {
    315319                // Bail if we're navigating to the current url, to a different origin, or wp-admin.
     
    344348                this.request.abort();
    345349
    346             this.request = $.post( this.url(), this.query() || {}, function( response ) {
    347                 var iframe = self.loader()[0].contentWindow;
    348 
    349                 self.loader().one( 'load', self.loaded );
    350 
    351                 iframe.document.open();
    352                 iframe.document.write( response );
    353                 iframe.document.close();
    354             });
     350            this.request = $.ajax( this.url(), {
     351                type: 'POST',
     352                data: this.query() || {},
     353                success: function( response ) {
     354                    var iframe = self.loader()[0].contentWindow;
     355
     356                    self.loader().one( 'load', self.loaded );
     357
     358                    iframe.document.open();
     359                    iframe.document.write( response );
     360                    iframe.document.close();
     361                },
     362                xhrFields: {
     363                    withCredentials: true
     364                }
     365            } );
    355366        }
    356367    });
  • trunk/wp-includes/js/customize-preview.dev.js

    r20737 r20741  
    3838        var preview, body;
    3939
    40         preview = new api.Preview( api.settings.parent );
     40        preview = new api.Preview( window.location.href );
    4141
    4242        $.each( api.settings.values, function( id, value ) {
Note: See TracChangeset for help on using the changeset viewer.