[wp-trac] [WordPress Trac] #40020: Customizer fails to load in Safari due to X-Origin Header mismatch
WordPress Trac
noreply at wordpress.org
Mon Mar 20 18:15:13 UTC 2017
#40020: Customizer fails to load in Safari due to X-Origin Header mismatch
-------------------------------+------------------------------
Reporter: nickkeenan | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Customize | Version: 4.7.2
Severity: normal | Resolution:
Keywords: reporter-feedback | Focuses:
-------------------------------+------------------------------
Changes (by westonruter):
* keywords: => reporter-feedback
Comment:
@nickkeenan I cannot reproduce this issue.
The call to `send_frame_options_header()` happens ''before''
`WP::send_headers()` which is what invokes
`WP_Customize_Manager::filter_iframe_security_headers()` via the
`wp_headers` filter. Because `WP::send_headers()` uses `header( $header )`
and leaves off the second `$replace` parameter, the default value of
`true` will be used. This means the last-sent `X-Frame-Options` header
sent should be the one that ultimately gets sent to the client.
I set up a similar configuration as you, with WordPress installed in a
subdirectory, the `home` being set to `http://core-subdirectory.vvv` and
the `siteurl` being set to `http://core-subdirectory.vvv/src`.
When I go to `http://core-subdirectory.vvv/src/wp-admin/customize.php`, I
get this response header back:
{{{
X-Frame-Options: SAMEORIGIN
}}}
When I look at the network console for the document loaded into the
iframe, here `http://core-subdirectory.vvv/?customize_changeset_uuid
=92126aad-
72f7-4c15-a7b1-e73ed23fb7a4&customize_theme=twentyseventeen&customize_messenger_channel=preview-0`,
I get these headers in the response:
{{{
X-Frame-Options: ALLOW-FROM http://core-subdirectory.vvv/src/wp-
admin/customize.php
Content-Security-Policy: frame-ancestors http://core-subdirectory.vvv
}}}
So I'm not sure why your `X-Frame-Options` headers are showing multiple
combined values that conflict. My best guess is that your web server is
configured to add this additional value to the `X-Frame-Options` response
header, or you have a plugin that is calling something like:
{{{#!php
<?php
add_action( 'send_headers', function() {
header( 'X-Frame-Options: SAMEORIGIN', false );
} );
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/40020#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list