[wp-trac] [WordPress Trac] #64740: credentialless iframe incompatible with some browsers and cross-origin policies
WordPress Trac
noreply at wordpress.org
Fri Feb 27 01:06:17 UTC 2026
#64740: credentialless iframe incompatible with some browsers and cross-origin
policies
-------------------------------------+------------------------------
Reporter: amykamala | Owner: adamsilverstein
Type: defect (bug) | Status: reviewing
Priority: normal | Milestone: 7.0
Component: Editor | Version:
Severity: normal | Resolution:
Keywords: has-patch needs-testing | Focuses:
-------------------------------------+------------------------------
Comment (by amykamala):
ACF is also affected by this (credentialless attribute compatibility).
They shared this in #core:
"mattgrshaw [4:46 PM]
Hello from the ACF team!
We're still looking into this, but it looks like the ACF WYSIWYG/TinyMCE
issue is caused by the credentialless attribute introduced in this PR:
https://github.com/wordpress/gutenberg/pull/74418
We've found a workaround on our side, but it's definitely a hack we'd
rather avoid shipping. We're also wondering if same-origin iframes (like
TinyMCE's) without an external src need the credentialless attribute
applied. Happy to discuss further or open a GitHub issue if that would
help."
https://wordpress.slack.com/archives/C02RQBWTW/p1772153184010619?thread_ts=1771603791.270799&cid=C02RQBWTW
--
Ticket URL: <https://core.trac.wordpress.org/ticket/64740#comment:11>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list