Customizer: Avoid `SecurityError`s when the Customizer is embedded in an origin other than wp-admin.

props mattwiebe.
fixes #31687.

git-svn-id: https://develop.svn.wordpress.org/trunk@31885 602fd350-edb4-49c9-b593-d223f7449a82

src/wp-admin/js/customize-controls.js

@@ -1929,6 +1929,25 @@
 
 			this.query = $.extend( params.query || {}, { customize_messenger_channel: this.channel() });
 
+			// This avoids SecurityErrors when setting a window object in x-origin iframe'd scenarios.
+			this.targetWindow.set = function( to ) {
+				var from = this._value;
+
+				to = this._setter.apply( this, arguments );
+				to = this.validate( to );
+
+				if ( null === to || from === to ) {
+					return this;
+				}
+
+				this._value = to;
+				this._dirty = true;
+
+				this.callbacks.fireWith( this, [ to, from ] );
+
+				return this;
+			};
+
 			this.run( deferred );
 		},
 
@@ -2118,9 +2137,7 @@
 		tmpl = api.settings.documentTitleTmpl;
 		title = tmpl.replace( '%s', documentTitle );
 		document.title = title;
-		if ( window !== window.parent ) {
-			window.parent.document.title = document.title;
-		}
+		api.trigger( 'title', title );
 	};
 
 	/**
@@ -2799,6 +2816,11 @@
 				window.location = api.settings.url.activated;
 		});
 
+		// Pass titles to the parent
+		api.bind( 'title', function( newTitle ) {
+			parent.send( 'title', newTitle );
+		});
+
 		// Initialize the connection with the parent frame.
 		parent.send( 'ready' );
 

src/wp-includes/js/customize-loader.js

@@ -155,6 +155,10 @@ window.wp = window.wp || {};
 				Loader.saved( false );
 			} );
 
+			this.messenger.bind( 'title', function( newTitle ){
+				window.document.title = newTitle;
+			});
+
 			this.pushState( src );
 
 			this.trigger( 'open' );