If the front end and the admin are served from the same domain, load the
preview over ssl if the Customizer is being loaded over ssl. This avoids
insecure content warnings. This is not attempted if the admin and front end
are on different domains to avoid the case where the front end doesn't have
ssl certs. Domain mapping plugins can allow other urls in these conditions
using the customize_allowed_urls filter.
| public get_allowed_urls ( ) |
/**
* Test WP_Customize_Manager::get_allowed_urls().
*
* @ticket 30937
* @covers WP_Customize_Manager::get_allowed_urls()
*/
function test_get_allowed_urls()
{
$wp_customize = new WP_Customize_Manager();
$this->assertFalse(is_ssl());
$this->assertFalse($wp_customize->is_cross_domain());
$allowed = $wp_customize->get_allowed_urls();
$this->assertEquals($allowed, array(home_url('/', 'http')));
add_filter('customize_allowed_urls', array($this, 'filter_customize_allowed_urls'));
$allowed = $wp_customize->get_allowed_urls();
$this->assertEqualSets($allowed, array('http://headless.example.com/', home_url('/', 'http')));
}