Create a gist now

Instantly share code, notes, and snippets.

WordPress: Return the X-XSS-Protection = 0 header for post previews
/**
* Add a X-XSS-Protection = 0 header for post previews to allow
* Webkit browsers to render iframe and flash objects.
* @see: http://core.trac.wordpress.org/ticket/20148
*
* @param $headers array Already added header items.
* @param $object WP The query variables.
*
* @return array
*/
function send_no_xss_protection_header( $headers, $object ) {
if (
! empty( $object->query_vars['preview'] ) &&
! empty( $object->query_vars['p'] ) &&
wp_get_referer() &&
wp_get_referer() == sprintf( admin_url( 'post.php?post=%d&action=edit' ), $object->query_vars['p'] )
)
$headers['X-XSS-Protection'] = 0;
return $headers;
}
add_filter( 'wp_headers', 'send_no_xss_protection_header', 10, 2 );
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment