Changeset 44580 for trunk/src/wp-includes/class-wp-customize-manager.php

Timestamp:

01/14/2019 06:37:30 AM (14 months ago)

Author:

pento

Message:

Customizer: Improve browser compatibility of the preview iframe.

When home and siteurl are different, the customizer preview iframe will be blank in Chrome and Safari, due to their X-Frame-Options implementation quirks.

Changing this to SAMEORIGIN and adding the frame-ancestors Content Security Policy gives the correct behaviour.

Props fullyint.
Fixes #40020.

File:

• trunk/src/wp-includes/class-wp-customize-manager.php (modified) (1 diff)

trunk/src/wp-includes/class-wp-customize-manager.php

@@ -1897 +1897 @@
      */
     public function filter_iframe_security_headers( $headers ) {
-        $customize_url                      = admin_url( 'customize.php' );
-        $headers['X-Frame-Options']         = 'ALLOW-FROM ' . $customize_url;
-        $headers['Content-Security-Policy'] = 'frame-ancestors ' . preg_replace( '#^(\w+://[^/]+).+?$#', '$1', $customize_url );
+        $headers['X-Frame-Options']         = 'SAMEORIGIN';
+        $headers['Content-Security-Policy'] = "frame-ancestors 'self'";
         return $headers;
     }