Customizer: Improve browser compatibility of the preview iframe.

When `home` and `siteurl` are different, the customizer preview iframe will be blank in Chrome and Safari, due to their `X-Frame-Options` implementation quirks.

Changing this to `SAMEORIGIN` and adding the `frame-ancestors` Content Security Policy gives the correct behaviour.

Props fullyint.
Fixes #40020.



git-svn-id: https://develop.svn.wordpress.org/trunk@44580 602fd350-edb4-49c9-b593-d223f7449a82

src/wp-includes/class-wp-customize-manager.php

@@ -1896,9 +1896,8 @@ final class WP_Customize_Manager {
 	 * @return array Headers.
 	 */
 	public function filter_iframe_security_headers( $headers ) {
-		$customize_url                      = admin_url( 'customize.php' );
-		$headers['X-Frame-Options']         = 'ALLOW-FROM ' . $customize_url;
-		$headers['Content-Security-Policy'] = 'frame-ancestors ' . preg_replace( '#^(\w+://[^/]+).+?$#', '$1', $customize_url );
+		$headers['X-Frame-Options']         = 'SAMEORIGIN';
+		$headers['Content-Security-Policy'] = "frame-ancestors 'self'";
 		return $headers;
 	}
 

tests/phpunit/tests/customize/manager.php

@@ -848,15 +848,16 @@ class Tests_WP_Customize_Manager extends WP_UnitTestCase {
 	 * Test WP_Customize_Manager::filter_iframe_security_headers().
 	 *
 	 * @ticket 30937
+	 * @ticket 40020
 	 * @covers WP_Customize_Manager::filter_iframe_security_headers()
 	 */
 	function test_filter_iframe_security_headers() {
-		$customize_url = admin_url( 'customize.php' );
 		$wp_customize  = new WP_Customize_Manager();
 		$headers       = $wp_customize->filter_iframe_security_headers( array() );
 		$this->assertArrayHasKey( 'X-Frame-Options', $headers );
 		$this->assertArrayHasKey( 'Content-Security-Policy', $headers );
-		$this->assertEquals( "ALLOW-FROM $customize_url", $headers['X-Frame-Options'] );
+		$this->assertEquals( 'SAMEORIGIN', $headers['X-Frame-Options'] );
+		$this->assertEquals( "frame-ancestors 'self'", $headers['Content-Security-Policy'] );
 	}
 
 	/**