Make WordPress Core


Ignore:
Timestamp:
01/14/2019 06:37:30 AM (6 years ago)
Author:
pento
Message:

Customizer: Improve browser compatibility of the preview iframe.

When home and siteurl are different, the customizer preview iframe will be blank in Chrome and Safari, due to their X-Frame-Options implementation quirks.

Changing this to SAMEORIGIN and adding the frame-ancestors Content Security Policy gives the correct behaviour.

Props fullyint.
Fixes #40020.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/class-wp-customize-manager.php

    r44228 r44580  
    18971897     */
    18981898    public function filter_iframe_security_headers( $headers ) {
    1899         $customize_url                      = admin_url( 'customize.php' );
    1900         $headers['X-Frame-Options']         = 'ALLOW-FROM ' . $customize_url;
    1901         $headers['Content-Security-Policy'] = 'frame-ancestors ' . preg_replace( '#^(\w+://[^/]+).+?$#', '$1', $customize_url );
     1899        $headers['X-Frame-Options']         = 'SAMEORIGIN';
     1900        $headers['Content-Security-Policy'] = "frame-ancestors 'self'";
    19021901        return $headers;
    19031902    }
Note: See TracChangeset for help on using the changeset viewer.