[wp-trac] [WordPress Trac] #40020: Customizer fails to load in Safari due to X-Origin Header mismatch
WordPress Trac
noreply at wordpress.org
Tue Nov 7 19:23:00 UTC 2017
#40020: Customizer fails to load in Safari due to X-Origin Header mismatch
-------------------------------+------------------------------
Reporter: nickkeenan | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Customize | Version: 4.7.2
Severity: normal | Resolution:
Keywords: reporter-feedback | Focuses:
-------------------------------+------------------------------
Comment (by jeremyfelt):
I'm able to reproduce this in Safari 11.0.1 when Nginx has a `add_header X
-Frame-Options SAMEORIGIN always;` directive applied. Safari sees
conflicting rules and then falls back to `DENY`.
When the directive is removed in Nginx, the Customizer frame loads, but
Safari still reports an error that `ALLOW-FROM http://wp.wsu.dev/wp-
admin/customize.php` is not a recognized directive for `X-Frame-Options`
and ignores the header. Safari and Chrome [https://caniuse.com/#feat=x
-frame-options do not support] `ALLOW-FROM`
In my case, I *believe* it's safe (in custom code) to remove the `ALLOW-
FROM` header and rely on the `SAMEORIGIN` provided by Nginx and the
`frame-ancestors` CSP provided by core Customizer code.
I'm not sure that it makes sense as a change in core, so it may be okay to
close this ticket as a config conflict that's best handled on a case by
case basis.
FWIW, `X-Frame-Options` is deprecated and `frame-ancestors` is a
[https://caniuse.com/#feat=contentsecuritypolicy2 well supported]
replacement. Once IE11 fades off some more, it may be possible to rely on
`frame-ancestors` alone.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/40020#comment:6>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list