Theme Customizer: Check for CORS support when the preview and admin urls are cross-domain. Add a fallback to the customize control frame, and check support there as well. see #20582, #19910.

git-svn-id: https://develop.svn.wordpress.org/trunk@20886 602fd350-edb4-49c9-b593-d223f7449a82

wp-admin/customize.php

@@ -107,22 +107,33 @@ do_action( 'customize_controls_print_scripts' );
 	$allowed_urls = array( home_url('/') );
 	$admin_origin = parse_url( admin_url() );
 	$home_origin  = parse_url( home_url() );
+	$cross_domain = ( strtolower( $admin_origin[ 'host' ] ) != strtolower( $home_origin[ 'host' ] ) );
 
-	if ( is_ssl() && ( $admin_origin[ 'host' ] == $home_origin[ 'host' ] ) )
+	if ( is_ssl() && ! $cross_domain )
 		$allowed_urls[] = home_url( '/', 'https' );
 
 	$allowed_urls = array_unique( apply_filters( 'customize_allowed_urls', $allowed_urls ) );
 
+	$fallback_url = add_query_arg( array(
+		'preview'        => 1,
+		'template'       => $wp_customize->get_template(),
+		'stylesheet'     => $wp_customize->get_stylesheet(),
+		'preview_iframe' => true,
+		'TB_iframe'      => 'true'
+	), home_url( '/' ) );
+
 	$settings = array(
 		'theme'    => array(
 			'stylesheet' => $wp_customize->get_stylesheet(),
 			'active'     => $wp_customize->is_theme_active(),
 		),
 		'url'      => array(
-			'preview'  => esc_url( home_url( '/' ) ),
-			'parent'   => esc_url( admin_url() ),
-			'ajax'     => esc_url( admin_url( 'admin-ajax.php', 'relative' ) ),
-			'allowed'  => array_map( 'esc_url', $allowed_urls ),
+			'preview'       => esc_url( home_url( '/' ) ),
+			'parent'        => esc_url( admin_url() ),
+			'ajax'          => esc_url( admin_url( 'admin-ajax.php', 'relative' ) ),
+			'allowed'       => array_map( 'esc_url', $allowed_urls ),
+			'isCrossDomain' => $cross_domain,
+			'fallback'      => $fallback_url,
 		),
 		'settings' => array(),
 		'controls' => array(),