From e1353e1fe8709c0440f538bec0f5a09c9c9ba83f Mon Sep 17 00:00:00 2001
From: "Dominik Schilling (ocean90)" <ocean90@git.wordpress.org>
Date: Wed, 25 Mar 2015 23:35:37 +0000
Subject: [PATCH] Customizer: [31885] actually hasn't fixed the
 `SecurityError`s. This one does.

props mattwiebe.
fixes #31687.

git-svn-id: https://develop.svn.wordpress.org/trunk@31893 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-admin/js/customize-controls.js | 19 -------------------
 src/wp-includes/js/customize-base.js  | 25 ++++++++++++++++++++++++-
 2 files changed, 24 insertions(+), 20 deletions(-)

diff --git a/src/wp-admin/js/customize-controls.js b/src/wp-admin/js/customize-controls.js
index 02a230d3af..a2b9489240 100644
--- a/src/wp-admin/js/customize-controls.js
+++ b/src/wp-admin/js/customize-controls.js
@@ -1929,25 +1929,6 @@
 
 			this.query = $.extend( params.query || {}, { customize_messenger_channel: this.channel() });
 
-			// This avoids SecurityErrors when setting a window object in x-origin iframe'd scenarios.
-			this.targetWindow.set = function( to ) {
-				var from = this._value;
-
-				to = this._setter.apply( this, arguments );
-				to = this.validate( to );
-
-				if ( null === to || from === to ) {
-					return this;
-				}
-
-				this._value = to;
-				this._dirty = true;
-
-				this.callbacks.fireWith( this, [ to, from ] );
-
-				return this;
-			};
-
 			this.run( deferred );
 		},
 
diff --git a/src/wp-includes/js/customize-base.js b/src/wp-includes/js/customize-base.js
index 5ffa924564..2e0ab19578 100644
--- a/src/wp-includes/js/customize-base.js
+++ b/src/wp-includes/js/customize-base.js
@@ -538,11 +538,34 @@ window.wp = window.wp || {};
 
 			this.add( 'channel', params.channel );
 			this.add( 'url', params.url || '' );
-			this.add( 'targetWindow', params.targetWindow || defaultTarget );
 			this.add( 'origin', this.url() ).link( this.url ).setter( function( to ) {
 				return to.replace( /([^:]+:\/\/[^\/]+).*/, '$1' );
 			});
 
+			// first add with no value
+			this.add( 'targetWindow', null );
+			// This avoids SecurityErrors when setting a window object in x-origin iframe'd scenarios.
+			this.targetWindow.set = function( to ) {
+				var from = this._value;
+
+				to = this._setter.apply( this, arguments );
+				to = this.validate( to );
+
+				if ( null === to || from === to ) {
+					return this;
+				}
+
+				this._value = to;
+				this._dirty = true;
+
+				this.callbacks.fireWith( this, [ to, from ] );
+
+				return this;
+			};
+			// now set it
+			this.targetWindow( params.targetWindow || defaultTarget );
+
+
 			// Since we want jQuery to treat the receive function as unique
 			// to this instance, we give the function a new guid.
 			//