Changeset 61947 for trunk/src/wp-includes/media.php

Timestamp:

03/11/2026 11:38:35 PM (3 months ago)

Author:

adamsilverstein

Message:

Editor: Skip cross-origin isolation for third-party page builders.

Document-Isolation-Policy (DIP) isolates the document and blocks same-origin iframe access that page builders rely on. Skip DIP setup when a third-party page builder overrides the block editor via a custom action query parameter.

Also gates wp_is_client_side_media_processing_enabled() on a secure context check, since SharedArrayBuffer requires a secure context (HTTPS or localhost).

Props adamsilverstein, westonruter, mukesh27, louiswol94, manhar, illuminea.
Fixes #64803.

File:

• trunk/src/wp-includes/media.php (modified) (5 diffs)

trunk/src/wp-includes/media.php

@@ -6412 +6412 @@
  */
 function wp_is_client_side_media_processing_enabled(): bool {
+    // This is due to SharedArrayBuffer requiring a secure context.
+    $host    = strtolower( (string) strtok( $_SERVER['HTTP_HOST'] ?? '', ':' ) );
+    $enabled = ( is_ssl() || 'localhost' === $host || str_ends_with( $host, '.localhost' ) );
+
     /**
      * Filters whether client-side media processing is enabled.
@@ -6417 +6421 @@
      * @since 7.0.0
      *
-     * @param bool $enabled Whether client-side media processing is enabled. Default true.
-     */
-    return (bool) apply_filters( 'wp_client_side_media_processing_enabled', true );
+     * @param bool $enabled Whether client-side media processing is enabled. Default true if the page is served in a secure context.
+     */
+    return (bool) apply_filters( 'wp_client_side_media_processing_enabled', $enabled );
 }
 
@@ -6432 +6436 @@
     }
 
-    wp_add_inline_script( 'wp-block-editor', 'window.__clientSideMediaProcessing = true', 'before' );
+    wp_add_inline_script( 'wp-block-editor', 'window.__clientSideMediaProcessing = true;', 'before' );
 
     $chromium_version = wp_get_chromium_major_version();
@@ -6478 +6482 @@
  * on supported browsers (Chromium 137+).
  *
+ * Skips setup when a third-party page builder overrides the block
+ * editor via a custom `action` query parameter, as DIP would block
+ * same-origin iframe access that these editors rely on.
+ *
  * @since 7.0.0
  */
@@ -6492 +6500 @@
 
     if ( ! $screen->is_block_editor() && 'site-editor' !== $screen->id && ! ( 'widgets' === $screen->id && wp_use_widgets_block_editor() ) ) {
+        return;
+    }
+
+    /*
+     * Skip when a third-party page builder overrides the block editor.
+     * DIP isolates the document into its own agent cluster,
+     * which blocks same-origin iframe access that these editors rely on.
+     */
+    if ( isset( $_GET['action'] ) && 'edit' !== $_GET['action'] ) {
         return;
     }