Customizer: Improve browser compatibility of the preview iframe.

When `home` and `siteurl` are different, the customizer preview iframe will be blank in Chrome and Safari, due to their `X-Frame-Options` implementation quirks. Changing this to `SAMEORIGIN` and adding the `frame-ancestors` Content Security Policy gives the correct behaviour. Props fullyint. Fixes #40020. Built from https://develop.svn.wordpress.org/trunk@44580 git-svn-id: http://core.svn.wordpress.org/trunk@44411 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-01-14 06:38:51 +00:00 · 2019-01-14 06:38:51 +00:00 · d8f4a04232
parent 10c66fb426
commit d8f4a04232
2 changed files with 3 additions and 4 deletions
--- a/wp-includes/class-wp-customize-manager.php
+++ b/wp-includes/class-wp-customize-manager.php
@ -1896,9 +1896,8 @@ final class WP_Customize_Manager {
 	 * @return array Headers.
 	 */
 	public function filter_iframe_security_headers( $headers ) {
-		$customize_url                      = admin_url( 'customize.php' );
-		$headers['X-Frame-Options']         = 'ALLOW-FROM ' . $customize_url;
-		$headers['Content-Security-Policy'] = 'frame-ancestors ' . preg_replace( '#^(\w+://[^/]+).+?$#', '$1', $customize_url );
+		$headers['X-Frame-Options']         = 'SAMEORIGIN';
+		$headers['Content-Security-Policy'] = "frame-ancestors 'self'";
 		return $headers;
 	}

--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@ -13,7 +13,7 @@
 *
 * @global string $wp_version
 */
-$wp_version = '5.1-beta1-44579';
+$wp_version = '5.1-beta1-44580';

 /**
 * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.