[wp-trac] [WordPress Trac] #38571: Customizer preview blocked by content security policy
WordPress Trac
noreply at wordpress.org
Sun Feb 19 00:40:17 UTC 2017
#38571: Customizer preview blocked by content security policy
-------------------------------+-------------------------
Reporter: rahilwazir | Owner: rahilwazir
Type: defect (bug) | Status: closed
Priority: normal | Milestone:
Component: Customize | Version:
Severity: normal | Resolution: invalid
Keywords: reporter-feedback | Focuses:
-------------------------------+-------------------------
Comment (by westonruter):
@khromov is the `home` option (frontend URL) set to be the same your
`siteurl` option (backend WP admin URL)?
On the wordpress-develop site on VVV, the iframe document has the
following response headers:
{{{
X-Frame-Options: ALLOW-FROM http://src.wordpress-develop.dev/wp-
admin/customize.php
Content-Security-Policy: frame-ancestors http://src.wordpress-develop.dev
}}}
There seems to be a discrepancy between what you've pasted (e.g.
additional quote marks and lower-case header names) compared to what WP on
my VVV install returns. Are you sure you don't have Nginx configured to
send headers of its own in addition to what WP is returning?
If you comment-out the contents of
`\WP_Customize_Manager::filter_iframe_security_headers()` so the headers
aren't sent, does the security policy still get violated?
--
Ticket URL: <https://core.trac.wordpress.org/ticket/38571#comment:8>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list