[wp-trac] [WordPress Trac] #46301: Customizer iframe warning
WordPress Trac
noreply at wordpress.org
Thu Jan 30 08:41:09 UTC 2025
#46301: Customizer iframe warning
-------------------------------+------------------------------
Reporter: mensmaximus | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Customize | Version: 5.1
Severity: minor | Resolution:
Keywords: reporter-feedback | Focuses:
-------------------------------+------------------------------
Comment (by ermiuyo):
The warning in the browser console is triggered because the preview iframe
inside the WordPress Customizer (customize.php) is being loaded with both
allow-scripts and allow-same-origin in its sandbox attribute. This
combination allows scripts within the iframe to break out of the sandbox,
which is a security concern. Additionally, the Content Security Policy
(CSP) message indicates that x-frame-options is being ignored due to the
presence of frame-ancestors.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/46301#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list