[wp-trac] [WordPress Trac] #46301: Customizer iframe warning
WordPress Trac
noreply at wordpress.org
Thu Jan 30 08:41:24 UTC 2025
#46301: Customizer iframe warning
-------------------------------+------------------------------
Reporter: mensmaximus | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Customize | Version: 5.1
Severity: minor | Resolution:
Keywords: reporter-feedback | Focuses:
-------------------------------+------------------------------
Comment (by ermiuyo):
Replying to [comment:2 ermiuyo]:
> The warning in the browser console is triggered because the preview
iframe inside the WordPress Customizer (customize.php) is being loaded
with both allow-scripts and allow-same-origin in its sandbox attribute.
This combination allows scripts within the iframe to break out of the
sandbox, which is a security concern. Additionally, the Content Security
Policy (CSP) message indicates that x-frame-options is being ignored due
to the presence of frame-ancestors.
>
To confirm the issue, inspect the iframe element inside customize.php by
using Developer Tools (right-click → Inspect). Look for the sandbox
attribute inside the iframe. If it includes allow-scripts and allow-same-
origin, that is the reason for the warning.
Additionally, check the response headers of the previewed site using the
Network tab to verify CSP and X-Frame-Options settings.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/46301#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list