Make WordPress Core


Ignore:
Timestamp:
05/08/2012 08:13:34 PM (13 years ago)
Author:
koopersmith
Message:

Theme Customizer: Add cross-domain handling for when the admin and front-end are different origins. Handles both ajax and postMessage calls. props rboren, mdawaffe, nacin. see #20507, #19910.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-includes/class-wp-customize.php

    r20737 r20741  
    7272            return;
    7373
     74        $url = parse_url( admin_url() );
     75        $allowed_origins = array( 'http://' . $url[ 'host' ],  'https://' . $url[ 'host' ] );
     76        // @todo preserve port?
     77        if ( isset( $_SERVER[ 'HTTP_ORIGIN' ] ) && in_array( $_SERVER[ 'HTTP_ORIGIN' ], $allowed_origins ) ) {
     78            $origin = $_SERVER[ 'HTTP_ORIGIN' ];
     79        } else {
     80            $origin = $url[ 'scheme' ] . '://' . $url[ 'host' ];
     81        }
     82
     83        @header( 'Access-Control-Allow-Origin: ' .  $origin );
     84        @header( 'Access-Control-Allow-Credentials: true' );
     85
    7486        $this->start_previewing_theme();
    7587        show_admin_bar( false );
     
    199211    public function customize_preview_settings() {
    200212        $settings = array(
    201             // @todo: Perhaps grab the URL via $_POST?
    202             'parent' => esc_url( admin_url( 'themes.php' ) ),
    203213            'values' => array(),
    204214        );
Note: See TracChangeset for help on using the changeset viewer.