Changeset 20882
- Timestamp:
- 05/24/2012 07:17:49 PM (12 years ago)
- Location:
- trunk
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/wp-admin/customize.php
r20877 r20882 102 102 // insecure content warnings. This is not attempted if the admin and frontend 103 103 // are on different domains to avoid the case where the frontend doesn't have 104 // ssl certs. Domain mapping plugins can force ssl in these conditions using 105 // the customize_preview_link filter. 104 // ssl certs. Domain mapping plugins can allow other urls in these conditions 105 // using the customize_allowed_urls filter. 106 107 $allowed_urls = array( home_url('/') ); 106 108 $admin_origin = parse_url( admin_url() ); 107 $home_origin = parse_url( home_url() );108 $scheme = null; 109 $home_origin = parse_url( home_url() ); 110 109 111 if ( is_ssl() && ( $admin_origin[ 'host' ] == $home_origin[ 'host' ] ) ) 110 $ scheme = 'https';112 $allowed_urls[] = home_url( '/', 'https' ); 111 113 112 $ preview_url = apply_filters( 'customize_preview_link', home_url( '/', $scheme) );114 $allowed_urls = array_unique( apply_filters( 'customize_allowed_urls', $allowed_urls ) ); 113 115 114 116 $settings = array( … … 118 120 ), 119 121 'url' => array( 120 'preview' => esc_url( $preview_url),122 'preview' => esc_url( home_url( '/' ) ), 121 123 'parent' => esc_url( admin_url() ), 122 124 'ajax' => esc_url( admin_url( 'admin-ajax.php', 'relative' ) ), 125 'allowed' => array_map( 'esc_url', $allowed_urls ), 123 126 ), 124 127 'settings' => array(), -
trunk/wp-includes/js/customize-controls.dev.js
r20864 r20882 273 273 */ 274 274 initialize: function( params, options ) { 275 var self = this; 275 var self = this, 276 rscheme = /^https?/; 276 277 277 278 $.extend( this, options || {} ); … … 315 316 })( this ); 316 317 317 this.container = api.ensure( params.container ); 318 this.container = api.ensure( params.container ); 319 this.allowedUrls = params.allowedUrls; 318 320 319 321 api.Messenger.prototype.initialize.call( this, params.url ); … … 323 325 this.origin.unlink( this.url ).set( window.location.href ); 324 326 327 this.add( 'scheme', this.origin() ).link( this.origin ).setter( function( to ) { 328 var match = to.match( rscheme ); 329 return match ? match[0] : ''; 330 }); 331 325 332 // Limit the URL to internal, front-end links. 333 // 334 // If the frontend and the admin are served from the same domain, load the 335 // preview over ssl if the customizer is being loaded over ssl. This avoids 336 // insecure content warnings. This is not attempted if the admin and frontend 337 // are on different domains to avoid the case where the frontend doesn't have 338 // ssl certs. 339 326 340 this.url.setter( function( to ) { 327 // Bail if we're navigating to a different origin or wp-admin. 328 if ( 0 !== to.indexOf( self.origin() + '/' ) || -1 !== to.indexOf( 'wp-admin' ) ) 341 var result; 342 343 // Check for URLs that include "/wp-admin/" or end in "/wp-admin". 344 // Strip hashes and query strings before testing. 345 if ( /\/wp-admin(\/|$)/.test( to.replace(/[#?].*$/, '') ) ) 329 346 return null; 330 347 331 return to; 348 // Attempt to match the URL to the control frame's scheme 349 // and check if it's allowed. If not, try the original URL. 350 $.each([ to.replace( rscheme, self.scheme() ), to ], function( i, url ) { 351 $.each( self.allowedUrls, function( i, allowed ) { 352 if ( 0 === url.indexOf( allowed ) ) { 353 result = url; 354 return false; 355 } 356 }); 357 if ( result ) 358 return false; 359 }); 360 361 // If we found a matching result, return it. If not, bail. 362 return result ? result : null; 332 363 }); 333 364 … … 423 454 424 455 previewer = new api.Previewer({ 425 container: '#customize-preview', 426 form: '#customize-controls', 427 url: api.settings.url.preview 456 container: '#customize-preview', 457 form: '#customize-controls', 458 url: api.settings.url.preview, 459 allowedUrls: api.settings.url.allowed 428 460 }, { 429 461 query: function() {
Note: See TracChangeset
for help on using the changeset viewer.