[wp-trac] [WordPress Trac] #64740: credentialless iframe incompatible with some browsers and cross-origin policies
WordPress Trac
noreply at wordpress.org
Thu Feb 26 18:26:09 UTC 2026
#64740: credentialless iframe incompatible with some browsers and cross-origin
policies
--------------------------+-----------------------------
Reporter: amykamala | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Editor | Version:
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
After the 7.0 Beta 1 launch, Core received [this
report](https://wordpress.slack.com/archives/C02RQBWTW/p1771603791270799)
of a `NS_ERROR_DOM_COEP_FAILED` error in Firefox related to the iframed
post editor.
Firefox currently does not support credentialless iframes and has an [open
bug about it](https://bugzilla.mozilla.org/show_bug.cgi?id=1863531) -- the
result is some users may encounter that error and be unable to edit if
using Firefox.
Today just before the Beta 2 launch I received an additional report
directly from Elementor management, stating that they are encountering
errors with credentialless iframes at scale - which could potentially
break 4 million or more websites for WP users that use Elementor, upon
upgrading to 7.0.
A workaround is being implemented in Elementor version 3.35+, but folks
using older versions of the plugin, (3.34 and below) are likely to have a
broken editor upon updating to 7.0. So backwards compatibility for
Elementor users is not in place once upgraded to WP 7.0. Below are the
details of the report -
STR:
Install WordPress 7.0-beta1 (or nightly: wp core update
https://wordpress.org/nightly-builds/wordpress-latest.zip)
Install and activate Elementor
Open any page in the Elementor editor
Editor fails to load; console shows SecurityError
Quick analysis:
WordPress 7.0-beta1 introduces cross-origin isolation headers on all admin
pages:
Cross-Origin-Opener-Policy: same-originCross-Origin-Embedder-Policy:
credentialless
These headers are not present on frontend pages, including the Elementor
preview iframe (/?p=X&elementor-preview=1). When a parent document sets
Cross-Origin-Embedder-Policy: credentialless and an embedded iframe does
not cooperate with this policy, the browser treats the iframe as cross-
origin, even when both share the same origin. This blocks all
contentWindow property access from the parent to the iframe.
The Elementor editor relies on accessing contentWindow.elementorFrontend
in Editor.onPreviewLoaded() (assets/dev/js/editor/editor-
base.js:1266-1268). With WP 7.0, this throws:
Uncaught SecurityError: Failed to read a named property
'elementorFrontend' from 'Window':Blocked a frame with origin "http://..."
from accessing a cross-origin frame.
The editor fails to initialize entirely.
Disabling the new security headers on post.php if ?action=elementor is a
potential workaround Elementor established, but bc its plugin specific
that could not be applied in Core.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/64740>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list