Make WordPress Core


Ignore:
Timestamp:
01/14/2019 06:37:30 AM (6 years ago)
Author:
pento
Message:

Customizer: Improve browser compatibility of the preview iframe.

When home and siteurl are different, the customizer preview iframe will be blank in Chrome and Safari, due to their X-Frame-Options implementation quirks.

Changing this to SAMEORIGIN and adding the frame-ancestors Content Security Policy gives the correct behaviour.

Props fullyint.
Fixes #40020.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/tests/phpunit/tests/customize/manager.php

    r43571 r44580  
    849849     *
    850850     * @ticket 30937
     851     * @ticket 40020
    851852     * @covers WP_Customize_Manager::filter_iframe_security_headers()
    852853     */
    853854    function test_filter_iframe_security_headers() {
    854         $customize_url = admin_url( 'customize.php' );
    855855        $wp_customize  = new WP_Customize_Manager();
    856856        $headers       = $wp_customize->filter_iframe_security_headers( array() );
    857857        $this->assertArrayHasKey( 'X-Frame-Options', $headers );
    858858        $this->assertArrayHasKey( 'Content-Security-Policy', $headers );
    859         $this->assertEquals( "ALLOW-FROM $customize_url", $headers['X-Frame-Options'] );
     859        $this->assertEquals( 'SAMEORIGIN', $headers['X-Frame-Options'] );
     860        $this->assertEquals( "frame-ancestors 'self'", $headers['Content-Security-Policy'] );
    860861    }
    861862
Note: See TracChangeset for help on using the changeset viewer.