Customizer: Improve browser compatibility of the preview iframe.

When `home` and `siteurl` are different, the customizer preview iframe will be blank in Chrome and Safari, due to their `X-Frame-Options` implementation quirks.

Changing this to `SAMEORIGIN` and adding the `frame-ancestors` Content Security Policy gives the correct behaviour.

Props fullyint.
Fixes #40020.


Built from https://develop.svn.wordpress.org/trunk@44580


git-svn-id: http://core.svn.wordpress.org/trunk@44411 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Gary Pendergast 2019-01-14 06:38:51 +00:00
parent 10c66fb426
commit d8f4a04232
2 changed files with 3 additions and 4 deletions

View File

@ -1896,9 +1896,8 @@ final class WP_Customize_Manager {
* @return array Headers.
*/
public function filter_iframe_security_headers( $headers ) {
$customize_url = admin_url( 'customize.php' );
$headers['X-Frame-Options'] = 'ALLOW-FROM ' . $customize_url;
$headers['Content-Security-Policy'] = 'frame-ancestors ' . preg_replace( '#^(\w+://[^/]+).+?$#', '$1', $customize_url );
$headers['X-Frame-Options'] = 'SAMEORIGIN';
$headers['Content-Security-Policy'] = "frame-ancestors 'self'";
return $headers;
}

View File

@ -13,7 +13,7 @@
*
* @global string $wp_version
*/
$wp_version = '5.1-beta1-44579';
$wp_version = '5.1-beta1-44580';
/**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.