[wp-trac] [WordPress Trac] #48656: Views details blocked by SAMEORIGIN
WordPress Trac
noreply at wordpress.org
Thu Apr 2 11:13:39 UTC 2026
#48656: Views details blocked by SAMEORIGIN
----------------------------+------------------------------
Reporter: sebastienserre | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Plugins | Version: 5.3
Severity: major | Resolution:
Keywords: has-patch | Focuses: multisite
----------------------------+------------------------------
Changes (by makdiahussain):
* keywords: needs-patch => has-patch
Comment:
The issue is in plugin-install.php. On multisite subsites, the redirect to
network_admin_url() on line 22 fires even for IFRAME_REQUEST (the "View
Details" thickbox modal). This causes a cross-origin redirect, which the
browser blocks due to X-Frame-Options: SAMEORIGIN.
The patch skips the network admin redirect when IFRAME_REQUEST is defined,
so the plugin information modal loads directly on the subsite without a
cross-origin issue. IFRAME_REQUEST is already set on line 9 when tab
=plugin-information.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/48656#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list