[wp-trac] [WordPress Trac] #40020: Customizer fails to load in Safari due to X-Origin Header mismatch
WordPress Trac
noreply at wordpress.org
Wed Apr 11 17:41:30 UTC 2018
#40020: Customizer fails to load in Safari due to X-Origin Header mismatch
------------------------------------+------------------------------
Reporter: nickkeenan | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Customize | Version: 4.7.2
Severity: normal | Resolution:
Keywords: has-patch dev-feedback | Focuses:
------------------------------------+------------------------------
Comment (by westonruter):
@fullyint your reasoning seems sound to me. Part of the reason for using
`ALLOW-FROM` was the idea that the iframe could be limited to be embedded
from just `customize.php`. But apparently that's not how `ALLOW-FROM`
works and this granular usage of allowing from specific URL paths isn't
supported.
I'd like to get +1 from someone else who is more familiar with the
security implications of these headers.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/40020#comment:9>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list