[wp-trac] [WordPress Trac] #40020: Customizer fails to load in Safari due to X-Origin Header mismatch

WordPress Trac noreply at wordpress.org
Mon Mar 20 18:15:13 UTC 2017


#40020: Customizer fails to load in Safari due to X-Origin Header mismatch
-------------------------------+------------------------------
 Reporter:  nickkeenan         |       Owner:
     Type:  defect (bug)       |      Status:  new
 Priority:  normal             |   Milestone:  Awaiting Review
Component:  Customize          |     Version:  4.7.2
 Severity:  normal             |  Resolution:
 Keywords:  reporter-feedback  |     Focuses:
-------------------------------+------------------------------
Changes (by westonruter):

 * keywords:   => reporter-feedback


Comment:

 @nickkeenan I cannot reproduce this issue.

 The call to `send_frame_options_header()` happens ''before''
 `WP::send_headers()` which is what invokes
 `WP_Customize_Manager::filter_iframe_security_headers()` via the
 `wp_headers` filter. Because `WP::send_headers()` uses `header( $header )`
 and leaves off the second `$replace` parameter, the default value of
 `true` will be used. This means the last-sent `X-Frame-Options` header
 sent should be the one that ultimately gets sent to the client.

 I set up a similar configuration as you, with WordPress installed in a
 subdirectory, the `home` being set to `http://core-subdirectory.vvv` and
 the `siteurl` being set to `http://core-subdirectory.vvv/src`.

 When I go to `http://core-subdirectory.vvv/src/wp-admin/customize.php`, I
 get this response header back:

 {{{
 X-Frame-Options: SAMEORIGIN
 }}}

 When I look at the network console for the document loaded into the
 iframe, here `http://core-subdirectory.vvv/?customize_changeset_uuid
 =92126aad-
 72f7-4c15-a7b1-e73ed23fb7a4&customize_theme=twentyseventeen&customize_messenger_channel=preview-0`,
 I get these headers in the response:

 {{{
 X-Frame-Options: ALLOW-FROM http://core-subdirectory.vvv/src/wp-
 admin/customize.php
 Content-Security-Policy: frame-ancestors http://core-subdirectory.vvv
 }}}

 So I'm not sure why your `X-Frame-Options` headers are showing multiple
 combined values that conflict. My best guess is that your web server is
 configured to add this additional value to the `X-Frame-Options` response
 header, or you have a plugin that is calling something like:

 {{{#!php
 <?php
 add_action( 'send_headers', function() {
     header( 'X-Frame-Options: SAMEORIGIN', false );
 } );
 }}}

--
Ticket URL: <https://core.trac.wordpress.org/ticket/40020#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list