Skip to content

Media: Skip cross-origin isolation for third-party page builders#11170

Open
adamsilverstein wants to merge 1 commit intoWordPress:trunkfrom
adamsilverstein:skip-page-builder-dip
Open

Media: Skip cross-origin isolation for third-party page builders#11170
adamsilverstein wants to merge 1 commit intoWordPress:trunkfrom
adamsilverstein:skip-page-builder-dip

Conversation

@adamsilverstein
Copy link
Member

@adamsilverstein adamsilverstein commented Mar 5, 2026
edited
Loading

Summary

  • Adds a check to skip Document-Isolation-Policy (DIP) when a third-party page builder overrides the block editor via a custom action query parameter
  • DIP isolates the document into its own agent cluster, which blocks same-origin iframe access that page builders rely on
  • Split out from Media: Use Document-Isolation-Policy for cross-origin isolation #11098 per review feedback to allow separate discussion of edge cases (e.g. Web Stories uses action=edit but replaces the block editor entirely)

See discussion: #11098 (comment)

Test plan

  • Verify the block editor still gets cross-origin isolation headers on standard post/page edit screens
  • Verify that a page builder using a custom action parameter (e.g. action=elementor) does NOT get DIP headers
  • Discuss edge cases where action=edit is used but the block editor is replaced (e.g. Web Stories)

Trac ticket: https://core.trac.wordpress.org/ticket/64803

@github-actions
Copy link

github-actions bot commented Mar 5, 2026

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

Core Committers: Use this line as a base for the props when committing in SVN:

Props adamsilverstein.

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

@adamsilverstein adamsilverstein mentioned this pull request Mar 5, 2026
Closed
8 tasks
@github-actions
Copy link

github-actions bot commented Mar 5, 2026

Test using WordPress Playground

The changes in this pull request can previewed and tested using a WordPress Playground instance.

WordPress Playground is an experimental project that creates a full WordPress instance entirely within the browser.

Some things to be aware of

  • All changes will be lost when closing a tab with a Playground instance.
  • All changes will be lost when refreshing the page.
  • A fresh instance is created each time the link below is clicked.
  • Every time this pull request is updated, a new ZIP file containing all changes is created. If changes are not reflected in the Playground instance,
    it's possible that the most recent build failed, or has not completed. Check the list of workflow runs to be sure.

For more details about these limitations and more, check out the Limitations page in the WordPress Playground documentation.

Test this pull request with WordPress Playground.

adamsilverstein added a commit to adamsilverstein/wordpress-develop that referenced this pull request Mar 5, 2026
@adamsilverstein @claude
Tests: Remove obsolete page builder skip tests from cross-origin isol…
bfb8a9b 
…ation.

Remove tests for the page builder action check that was moved to a
separate PR (WordPress#11170).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@adamsilverstein @claude
Media: Skip cross-origin isolation for third-party page builders.
3f563a1 
Add a check to skip Document-Isolation-Policy when a third-party page
builder overrides the block editor via a custom action parameter. DIP
isolates the document into its own agent cluster, which blocks
same-origin iframe access that these editors rely on.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@adamsilverstein adamsilverstein force-pushed the skip-page-builder-dip branch from 68f7673 to 3f563a1 Compare March 5, 2026 11:50
westonruter
westonruter reviewed Mar 5, 2026
View reviewed changes
src/wp-includes/media.php
return;
}

// Skip when a third-party page builder overrides the block editor.
Copy link
Member

@westonruter westonruter Mar 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Which third party page build(s) specifically is known to have an issue that this fixes?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@westonruter westonruter westonruter left review comments

@mukeshpanchal27 mukeshpanchal27 Awaiting requested review from mukeshpanchal27

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@adamsilverstein @westonruter