From d8f4a042329557f14917c00afcbc1fd2003b5d34 Mon Sep 17 00:00:00 2001 From: Gary Pendergast Date: Mon, 14 Jan 2019 06:38:51 +0000 Subject: [PATCH] Customizer: Improve browser compatibility of the preview iframe. When `home` and `siteurl` are different, the customizer preview iframe will be blank in Chrome and Safari, due to their `X-Frame-Options` implementation quirks. Changing this to `SAMEORIGIN` and adding the `frame-ancestors` Content Security Policy gives the correct behaviour. Props fullyint. Fixes #40020. Built from https://develop.svn.wordpress.org/trunk@44580 git-svn-id: http://core.svn.wordpress.org/trunk@44411 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-includes/class-wp-customize-manager.php | 5 ++--- wp-includes/version.php | 2 +- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/wp-includes/class-wp-customize-manager.php b/wp-includes/class-wp-customize-manager.php index d2d89ff892..7aa50f7862 100644 --- a/wp-includes/class-wp-customize-manager.php +++ b/wp-includes/class-wp-customize-manager.php @@ -1896,9 +1896,8 @@ final class WP_Customize_Manager { * @return array Headers. */ public function filter_iframe_security_headers( $headers ) { - $customize_url = admin_url( 'customize.php' ); - $headers['X-Frame-Options'] = 'ALLOW-FROM ' . $customize_url; - $headers['Content-Security-Policy'] = 'frame-ancestors ' . preg_replace( '#^(\w+://[^/]+).+?$#', '$1', $customize_url ); + $headers['X-Frame-Options'] = 'SAMEORIGIN'; + $headers['Content-Security-Policy'] = "frame-ancestors 'self'"; return $headers; } diff --git a/wp-includes/version.php b/wp-includes/version.php index e1f9e1ad24..86c3c1c45f 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -13,7 +13,7 @@ * * @global string $wp_version */ -$wp_version = '5.1-beta1-44579'; +$wp_version = '5.1-beta1-44580'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.