[wp-trac] [WordPress Trac] #64740: credentialless iframe incompatible with some browsers and cross-origin policies

Thu Feb 26 18:51:58 UTC 2026

#64740: credentialless iframe incompatible with some browsers and cross-origin
policies
--------------------------+---------------------
 Reporter:  amykamala     |       Owner:  (none)
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  7.0
Component:  Editor        |     Version:
 Severity:  normal        |  Resolution:
 Keywords:                |     Focuses:
--------------------------+---------------------
Description changed by westonruter:

Old description:

> After the 7.0 Beta 1 launch, Core received
> [https://wordpress.slack.com/archives/C02RQBWTW/p1771603791270799 this
> report] of a `NS_ERROR_DOM_COEP_FAILED` error in Firefox related to the
> iframed post editor.
>
> Firefox currently does not support credentialless iframes and has an
> [https://bugzilla.mozilla.org/show_bug.cgi?id=1863531 open bug about it]
> -- the result is some users may encounter that error and be unable to
> edit if using Firefox.
>
> Today just before the Beta 2 launch I received an additional report from
> Elementor, stating that they are encountering errors with credentialless
> iframes at scale - which could potentially break 4 million or more
> websites for WP users that use Elementor, upon upgrading to 7.0.
>
> A workaround is being implemented in Elementor version 3.35+, but folks
> using older versions of the plugin, (3.34 and below) are likely to have a
> broken editor upon updating to 7.0. So backwards compatibility for
> Elementor users is not in place once upgraded to WP 7.0. Below are the
> details of the report -
>
> STR:
>
> Install WordPress 7.0-beta1 (or nightly: wp core update
> https://wordpress.org/nightly-builds/wordpress-latest.zip)
> Install and activate Elementor
> Open any page in the Elementor editor
> Editor fails to load; console shows SecurityError
> Quick analysis:
> WordPress 7.0-beta1 introduces cross-origin isolation headers on all
> admin pages:
> Cross-Origin-Opener-Policy: same-originCross-Origin-Embedder-Policy:
> credentialless
> These headers are not present on frontend pages, including the Elementor
> preview iframe (/?p=X&elementor-preview=1). When a parent document sets
> Cross-Origin-Embedder-Policy: credentialless and an embedded iframe does
> not cooperate with this policy, the browser treats the iframe as cross-
> origin, even when both share the same origin. This blocks all
> contentWindow property access from the parent to the iframe.
>
> The Elementor editor relies on accessing contentWindow.elementorFrontend
> in Editor.onPreviewLoaded() (assets/dev/js/editor/editor-
> base.js:1266-1268). With WP 7.0, this throws:
> Uncaught SecurityError: Failed to read a named property
> 'elementorFrontend' from 'Window':Blocked a frame with origin
> "http://..." from accessing a cross-origin frame.
>
> The editor fails to initialize entirely.

New description:

 After the 7.0 Beta 1 launch, Core received
 [https://wordpress.slack.com/archives/C02RQBWTW/p1771603791270799 this
 report] of a `NS_ERROR_DOM_COEP_FAILED` error in Firefox related to the
 iframed post editor.

 Firefox currently does not support credentialless iframes and has an
 [https://bugzilla.mozilla.org/show_bug.cgi?id=1863531 open bug about it]
 -- the result is some users may encounter that error and be unable to edit
 if using Firefox.

 Today just before the Beta 2 launch I received an additional report from
 Elementor, stating that they are encountering errors with credentialless
 iframes at scale - which could potentially break 4 million or more
 websites for WP users that use Elementor, upon upgrading to 7.0.

 A workaround is being implemented in Elementor version 3.35+, but folks
 using older versions of the plugin, (3.34 and below) are likely to have a
 broken editor upon updating to 7.0. So backwards compatibility for
 Elementor users is not in place once upgraded to WP 7.0. Below are the
 details of the report -

 Steps to reproduce:

 1. Install WordPress 7.0-beta1 (or nightly: wp core update
 https://wordpress.org/nightly-builds/wordpress-latest.zip)
 2. Install and activate Elementor
 3. Open any page in the Elementor editor
 4. Editor fails to load; console shows SecurityError

 Quick analysis:

 WordPress 7.0-beta1 introduces cross-origin isolation headers on all admin
 pages:
 {{{
 Cross-Origin-Opener-Policy: same-originCross-Origin-Embedder-Policy:
 credentialless
 }}}
 These headers are not present on frontend pages, including the Elementor
 preview iframe (`/?p=X&elementor-preview=1`). When a parent document sets
 `Cross-Origin-Embedder-Policy: credentialless` and an embedded iframe does
 not cooperate with this policy, the browser treats the iframe as cross-
 origin, even when both share the same origin. This blocks all
 `contentWindow` property access from the parent to the iframe.

 The Elementor editor relies on accessing `contentWindow.elementorFrontend`
 in `Editor.onPreviewLoaded()` (`assets/dev/js/editor/editor-
 base.js:1266-1268`). With WP 7.0, this throws:
 > Uncaught SecurityError: Failed to read a named property
 'elementorFrontend' from 'Window':Blocked a frame with origin "http://..."
 from accessing a cross-origin frame.

 The editor fails to initialize entirely.

--

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/64740#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform