id	summary	reporter	owner	description	type	status	priority	milestone	component	version	severity	resolution	keywords	cc	focuses	prnumber
40020	Customizer fails to load in Safari due to X-Origin Header mismatch	nickkeenan	pento	"Steps to Reproduce: 

1) Using Safari (10.0.3, possibly other recent versions)
2) Plugins disabled, using TwentySeventeen theme, and WP 4.7.2
3) This is a site where the '''home''' and '''siteurl''' slightly differ.  home is '''domain.com''', and siteurl is '''domain.com/wp'''.
3) Open the Customizer.

Result: Blank Customizer Frame, with console errors: 

[Error] Multiple 'X-Frame-Options' headers with conflicting values ('ALLOW-FROM http://archetype.gameflow.design/wp/wp-admin/customize.php, SAMEORIGIN') encountered when loading 'http://domain.com/?customize_changeset_uuid={{INSERT-UUID-HERE}}&customize_theme=twentyseventeen&customize_messenger_channel=preview-0'. Falling back to 'DENY'.

[Error] Refused to display 'http://archetype.gameflow.design/?customize_changeset_uuid={{INSERT-UUID-HERE}}&customize_theme=twentyseventeen&customize_messenger_channel=preview-0' in a frame because it set 'X-Frame-Options' to 'ALLOW-FROM http://archetype.gameflow.design/wp/wp-admin/customize.php, SAMEORIGIN'.

Potential Cause:
There are conflicting X-Frame-Headers which fallback to DENY in Safari 10.0.3.

`wp-includes/class-wp-customize-manager.php` line 1599:
`public function filter_iframe_security_headers( $headers )`

Conflicts with

`wp-includes/functions.php` line 5017:
`function send_frame_options_header()`

Which is loaded on `default-filters.php` on either `login_init` or `admin_init`.
"	defect (bug)	closed	normal	5.1	Customize	4.7.2	normal	fixed	has-patch dev-feedback has-unit-tests