[wp-trac] [WordPress Trac] #40020: Customizer fails to load in Safari due to X-Origin Header mismatch

WordPress Trac noreply at wordpress.org
Thu Mar 2 20:45:29 UTC 2017 

#40020: Customizer fails to load in Safari due to X-Origin Header mismatch
--------------------------+-----------------------------
 Reporter:  nickkeenan    |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  Customize     |    Version:  4.7.2
 Severity:  normal        |   Keywords:
  Focuses:                |
--------------------------+-----------------------------
 Steps to Reproduce:

 1) Using Safari (10.0.3, possibly other recent versions)
 2) Plugins disabled, using TwentySeventeen theme, and WP 4.7.2
 3) This is a site where the '''home''' and '''siteurl''' slightly differ.
 home is '''domain.com''', and siteurl is '''domain.com/wp'''.
 3) Open the Customizer.

 Result: Blank Customizer Frame, with console errors:

 [Error] Multiple 'X-Frame-Options' headers with conflicting values
 ('ALLOW-FROM http://archetype.gameflow.design/wp/wp-admin/customize.php,
 SAMEORIGIN') encountered when loading
 'http://domain.com/?customize_changeset_uuid={{INSERT-UUID-
 HERE}}&customize_theme=twentyseventeen&customize_messenger_channel=preview-0'.
 Falling back to 'DENY'.

 [Error] Refused to display
 'http://archetype.gameflow.design/?customize_changeset_uuid={{INSERT-UUID-
 HERE}}&customize_theme=twentyseventeen&customize_messenger_channel=preview-0'
 in a frame because it set 'X-Frame-Options' to 'ALLOW-FROM
 http://archetype.gameflow.design/wp/wp-admin/customize.php, SAMEORIGIN'.

 Potential Cause:
 There are conflicting X-Frame-Headers which fallback to DENY in Safari
 10.0.3.

 `wp-includes/class-wp-customize-manager.php` line 1599:
 `public function filter_iframe_security_headers( $headers )`

 Conflicts with

 `wp-includes/functions.php` line 5017:
 `function send_frame_options_header()`

 Which is loaded on `default-filters.php` on either `login_init` or
 `admin_init`.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/40020>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list