WordPress.org

Make WordPress Core

Changeset 44580


Ignore:
Timestamp:
01/14/2019 06:37:30 AM (7 months ago)
Author:
pento
Message:

Customizer: Improve browser compatibility of the preview iframe.

When home and siteurl are different, the customizer preview iframe will be blank in Chrome and Safari, due to their X-Frame-Options implementation quirks.

Changing this to SAMEORIGIN and adding the frame-ancestors Content Security Policy gives the correct behaviour.

Props fullyint.
Fixes #40020.

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/class-wp-customize-manager.php

    r44228 r44580  
    18971897     */
    18981898    public function filter_iframe_security_headers( $headers ) {
    1899         $customize_url                      = admin_url( 'customize.php' );
    1900         $headers['X-Frame-Options']         = 'ALLOW-FROM ' . $customize_url;
    1901         $headers['Content-Security-Policy'] = 'frame-ancestors ' . preg_replace( '#^(\w+://[^/]+).+?$#', '$1', $customize_url );
     1899        $headers['X-Frame-Options']         = 'SAMEORIGIN';
     1900        $headers['Content-Security-Policy'] = "frame-ancestors 'self'";
    19021901        return $headers;
    19031902    }
  • trunk/tests/phpunit/tests/customize/manager.php

    r43571 r44580  
    849849     *
    850850     * @ticket 30937
     851     * @ticket 40020
    851852     * @covers WP_Customize_Manager::filter_iframe_security_headers()
    852853     */
    853854    function test_filter_iframe_security_headers() {
    854         $customize_url = admin_url( 'customize.php' );
    855855        $wp_customize  = new WP_Customize_Manager();
    856856        $headers       = $wp_customize->filter_iframe_security_headers( array() );
    857857        $this->assertArrayHasKey( 'X-Frame-Options', $headers );
    858858        $this->assertArrayHasKey( 'Content-Security-Policy', $headers );
    859         $this->assertEquals( "ALLOW-FROM $customize_url", $headers['X-Frame-Options'] );
     859        $this->assertEquals( 'SAMEORIGIN', $headers['X-Frame-Options'] );
     860        $this->assertEquals( "frame-ancestors 'self'", $headers['Content-Security-Policy'] );
    860861    }
    861862
Note: See TracChangeset for help on using the changeset viewer.