-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Customizer / Posts: load the Customizer and post previews on sites that disallow iframes #3291
Conversation
|
||
query.return = protocol + '//' + host + this.getPreviousPath(); | ||
query.calypso = true; | ||
query.calypsoOrigin = protocol + '//' + host; | ||
if ( site.options.frame_nonce ) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
May need to guard against missing options
attribute with site.options && site.options.frame_nonce
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I doubt we get site responses without options
, but can't hurt.
Thanks for tackling this one! |
Testing this pull, fixes the Customizer iframe issue for me — testing with an a8c private P2 site in local Calypso install on this branch. w00t! |
parsed.query['frame-nonce'] = site.options.frame_nonce; | ||
delete parsed.search; | ||
previewUrl = url.format( parsed ); | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This function desperately needs unit tests, though understandably non-existent at the moment. I might suggest that you consider adding one to the existing utils
test suite:
describe( '#getPreviewURL', function() {
it( 'should include a frame nonce when post has site defined', function() {
// ...
} );
} );
Not a blocker, but we should be more diligent about testing.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As much as it pains me to say, I'm gonna punt on that, since fixing everything here has already turned into a giant interdimensional rabbit hole.
9eda6c8
to
8086502
Compare
We have some higher-security sites that always force the `x-frame-options: SAMEORIGIN` HTTP header, breaking the Customizer and post previewing. We allow unsetting this header through a nonce, which is now included in REST API responses for sites. This may pave the way for increasing the security for everyone by enabling said HTTP header on all WP.com sites.
👍 |
Customizer / Posts: load the Customizer and post previews on sites that disallow iframes
We have some higher-security sites that always force the
x-frame-options: SAMEORIGIN
HTTP header, breaking the Customizer and post previewing. We allow unsetting this header
through a nonce, which is now included in REST API responses for sites.
This may pave the way for increasing the security for everyone by enabling said HTTP
header on all WP.com sites.
To Test
Someone from Automattic will need to try post previews and/or the Customizer with an internal site. You may need to clear out your
localStorage
to ensure that your site responses are fresh and contain the nonce (site.options.frame_nonce
)