Theme Customizer: Add cross-domain handling for when the admin and front-end are different origins. Handles both ajax and postMessage calls. props rboren, mdawaffe, nacin. see #20507, #19910.

git-svn-id: https://develop.svn.wordpress.org/trunk@20741 602fd350-edb4-49c9-b593-d223f7449a82
2026-06-28 14:20:15 +00:00 · 2012-05-08 20:13:34 +00:00
parent 6f90e8abd6
commit 320916cc53
3 changed files with 31 additions and 10 deletions
--- a/wp-includes/class-wp-customize.php
+++ b/wp-includes/class-wp-customize.php
@@ -71,6 +71,18 @@ final class WP_Customize {
 		if ( ! isset( $_REQUEST['customize'] ) || 'on' != $_REQUEST['customize'] )
 			return;

+		$url = parse_url( admin_url() );
+		$allowed_origins = array( 'http://' . $url[ 'host' ],  'https://' . $url[ 'host' ] );
+		// @todo preserve port?
+		if ( isset( $_SERVER[ 'HTTP_ORIGIN' ] ) && in_array( $_SERVER[ 'HTTP_ORIGIN' ], $allowed_origins ) ) {
+			$origin = $_SERVER[ 'HTTP_ORIGIN' ];
+		} else {
+			$origin = $url[ 'scheme' ] . '://' . $url[ 'host' ];
+		}
+
+		@header( 'Access-Control-Allow-Origin: ' .  $origin );
+		@header( 'Access-Control-Allow-Credentials: true' );
+
 		$this->start_previewing_theme();
 		show_admin_bar( false );
 	}
@@ -198,8 +210,6 @@ final class WP_Customize {
 	 */
 	public function customize_preview_settings() {
 		$settings = array(
-			// @todo: Perhaps grab the URL via $_POST?
-			'parent' => esc_url( admin_url( 'themes.php' ) ),
 			'values' => array(),
 		);