[wp-trac] [WordPress Trac] #64740: credentialless iframe incompatible with some browsers and cross-origin policies

WordPress Trac noreply at wordpress.org
Thu Feb 26 18:30:49 UTC 2026 

#64740: credentialless iframe incompatible with some browsers and cross-origin
policies
--------------------------+------------------------------
 Reporter:  amykamala     |       Owner:  (none)
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  Awaiting Review
Component:  Editor        |     Version:
 Severity:  normal        |  Resolution:
 Keywords:                |     Focuses:
--------------------------+------------------------------
Description changed by amykamala:

Old description:

> After the 7.0 Beta 1 launch, Core received [this
> report](https://wordpress.slack.com/archives/C02RQBWTW/p1771603791270799)
> of a `NS_ERROR_DOM_COEP_FAILED` error in Firefox related to the iframed
> post editor.
>
> Firefox currently does not support credentialless iframes and has an
> [open bug about it](https://bugzilla.mozilla.org/show_bug.cgi?id=1863531)
> -- the result is some users may encounter that error and be unable to
> edit if using Firefox.
>
> Today just before the Beta 2 launch I received an additional report
> directly from Elementor management, stating that they are encountering
> errors with credentialless iframes at scale - which could potentially
> break 4 million or more websites for WP users that use Elementor, upon
> upgrading to 7.0.
>
> A workaround is being implemented in Elementor version 3.35+, but folks
> using older versions of the plugin, (3.34 and below) are likely to have a
> broken editor upon updating to 7.0. So backwards compatibility for
> Elementor users is not in place once upgraded to WP 7.0. Below are the
> details of the report -
>
> STR:
>
> Install WordPress 7.0-beta1 (or nightly: wp core update
> https://wordpress.org/nightly-builds/wordpress-latest.zip)
> Install and activate Elementor
> Open any page in the Elementor editor
> Editor fails to load; console shows SecurityError
> Quick analysis:
> WordPress 7.0-beta1 introduces cross-origin isolation headers on all
> admin pages:
> Cross-Origin-Opener-Policy: same-originCross-Origin-Embedder-Policy:
> credentialless
> These headers are not present on frontend pages, including the Elementor
> preview iframe (/?p=X&elementor-preview=1). When a parent document sets
> Cross-Origin-Embedder-Policy: credentialless and an embedded iframe does
> not cooperate with this policy, the browser treats the iframe as cross-
> origin, even when both share the same origin. This blocks all
> contentWindow property access from the parent to the iframe.
>
> The Elementor editor relies on accessing contentWindow.elementorFrontend
> in Editor.onPreviewLoaded() (assets/dev/js/editor/editor-
> base.js:1266-1268). With WP 7.0, this throws:
> Uncaught SecurityError: Failed to read a named property
> 'elementorFrontend' from 'Window':Blocked a frame with origin
> "http://..." from accessing a cross-origin frame.
>
> The editor fails to initialize entirely.
>

>
> Disabling the new security headers on post.php if ?action=elementor is a
> potential workaround Elementor established, but bc its plugin specific
> that could not be applied in Core.

New description:

 After the 7.0 Beta 1 launch, Core received [this
 report](https://wordpress.slack.com/archives/C02RQBWTW/p1771603791270799)
 of a `NS_ERROR_DOM_COEP_FAILED` error in Firefox related to the iframed
 post editor.

 Firefox currently does not support credentialless iframes and has an [open
 bug about it](https://bugzilla.mozilla.org/show_bug.cgi?id=1863531) -- the
 result is some users may encounter that error and be unable to edit if
 using Firefox.

 Today just before the Beta 2 launch I received an additional report from
 Elementor, stating that they are encountering errors with credentialless
 iframes at scale - which could potentially break 4 million or more
 websites for WP users that use Elementor, upon upgrading to 7.0.

 A workaround is being implemented in Elementor version 3.35+, but folks
 using older versions of the plugin, (3.34 and below) are likely to have a
 broken editor upon updating to 7.0. So backwards compatibility for
 Elementor users is not in place once upgraded to WP 7.0. Below are the
 details of the report -

 STR:

 Install WordPress 7.0-beta1 (or nightly: wp core update
 https://wordpress.org/nightly-builds/wordpress-latest.zip)
 Install and activate Elementor
 Open any page in the Elementor editor
 Editor fails to load; console shows SecurityError
 Quick analysis:
 WordPress 7.0-beta1 introduces cross-origin isolation headers on all admin
 pages:
 Cross-Origin-Opener-Policy: same-originCross-Origin-Embedder-Policy:
 credentialless
 These headers are not present on frontend pages, including the Elementor
 preview iframe (/?p=X&elementor-preview=1). When a parent document sets
 Cross-Origin-Embedder-Policy: credentialless and an embedded iframe does
 not cooperate with this policy, the browser treats the iframe as cross-
 origin, even when both share the same origin. This blocks all
 contentWindow property access from the parent to the iframe.

 The Elementor editor relies on accessing contentWindow.elementorFrontend
 in Editor.onPreviewLoaded() (assets/dev/js/editor/editor-
 base.js:1266-1268). With WP 7.0, this throws:
 Uncaught SecurityError: Failed to read a named property
 'elementorFrontend' from 'Window':Blocked a frame with origin "http://..."
 from accessing a cross-origin frame.

 The editor fails to initialize entirely.

--

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/64740#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list