[wp-trac] [WordPress Trac] #40020: Customizer fails to load in Safari due to X-Origin Header mismatch

WordPress Trac noreply at wordpress.org
Tue Apr 10 04:48:09 UTC 2018 

#40020: Customizer fails to load in Safari due to X-Origin Header mismatch
------------------------------------+------------------------------
 Reporter:  nickkeenan              |       Owner:
     Type:  defect (bug)            |      Status:  new
 Priority:  normal                  |   Milestone:  Awaiting Review
Component:  Customize               |     Version:  4.7.2
 Severity:  normal                  |  Resolution:
 Keywords:  has-patch dev-feedback  |     Focuses:
------------------------------------+------------------------------
Changes (by fullyint):

 * keywords:  reporter-feedback => has-patch dev-feedback


Comment:

 @westonruter thank you for your huge work on the Customizer.

 What do you think about changing `ALLOW-FROM` to `SAMEORIGIN` in
 `WP_Customize_Manager::filter_iframe_security_headers()`? I added an
 example patch with the change.

 With broader [https://caniuse.com/#feat=x-frame-options browser support],
 `SAMEORIGIN` should offer broader protection. A switch to `SAMEORIGIN`
 would also prevent this ticket's original issue where a supported `X
 -Frame-Options` value from the server conflicts with an unsupported value
 from the code (Safari not supporting `ALLOW-FROM`). The `ALLOW-FROM`
 option is probably typically ineffectual anyway as I think modern browsers
 give priority to the `frame-ancestors` CSP that the Customizer adds to the
 embedded content.

 As discussed in #39128, the Customizer currently only functions if the
 embedded content is served from the `SAMEORIGIN` as the `wp-
 admin/customize.php`'s `siteurl`. Thus the current `ALLOW-FROM siteurl` is
 functionally the same as the proposed `SAMEORIGIN`. This remains true when
 your workaround for #39128 is applied
 (https://gist.github.com/westonruter/a9c6841ba7f28192e3eb7d90c9316e75).

 Following this same reasoning, the proposed patch switches the `frame-
 ancestors siteurl` CSP to the simpler `frame-ancestors 'self'`.

 Until the proposed switch to `SAMEORIGIN` is applied (if approved),
 sysadmins dealing with Nginx could avoid applying `SAMEORIGIN` to the
 embedded Customizer content:
 {{{
 # Avoid SAMEORIGIN conflict with ALLOW-FROM in Safari with WordPress
 Customizer
 # until https://core.trac.wordpress.org/ticket/40020 is resolved

 set $x_frame_options SAMEORIGIN;
 if ($arg_customize_changeset_uuid) {
   set $x_frame_options "";
 }
 add_header X-Frame-Options $x_frame_options;
 add_header Content-Security-Policy "frame-ancestors 'self'";
 }}}

--
Ticket URL: <https://core.trac.wordpress.org/ticket/40020#comment:8>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list