Media: Broaden the Document-Isolation-Policy header to all admin pages (backport GB #76662)

src/wp-includes/default-filters.php

@@ -698,10 +698,7 @@
 // Client-side media processing.
 add_action( 'admin_init', 'wp_set_client_side_media_processing_flag' );
 // Cross-origin isolation for client-side media processing.
-add_action( 'load-post.php', 'wp_set_up_cross_origin_isolation' );
-add_action( 'load-post-new.php', 'wp_set_up_cross_origin_isolation' );
-add_action( 'load-site-editor.php', 'wp_set_up_cross_origin_isolation' );
-add_action( 'load-widgets.php', 'wp_set_up_cross_origin_isolation' );
+add_action( 'admin_init', 'wp_set_up_cross_origin_isolation' );
 // Nav menu.
 add_filter( 'nav_menu_item_id', '_nav_menu_item_id_use_once', 10, 2 );
 add_filter( 'nav_menu_css_class', 'wp_nav_menu_remove_menu_item_has_children_class', 10, 4 );

src/wp-includes/media.php

@@ -6533,12 +6533,17 @@ function wp_get_chromium_major_version(): ?int {
 }
 
 /**
- * Enables cross-origin isolation in the block editor.
+ * Enables cross-origin isolation on admin pages.
  *
  * Required for enabling SharedArrayBuffer for WebAssembly-based
  * media processing in the editor. Uses Document-Isolation-Policy
  * on supported browsers (Chromium 137+).
  *
+ * Applied to all admin pages so that navigations between editor pages
+ * and other admin screens (site editor, template operations, pattern
+ * editing) remain in the same agent cluster, preserving cross-window
+ * communication.
+ *
  * Skips setup when a third-party page builder overrides the block
  * editor via a custom `action` query parameter, as DIP would block
  * same-origin iframe access that these editors rely on.
@@ -6550,13 +6555,8 @@ function wp_set_up_cross_origin_isolation(): void {
 		return;
 	}
 
-	$screen = get_current_screen();
-
-	if ( ! $screen ) {
-		return;
-	}
-
-	if ( ! $screen->is_block_editor() && 'site-editor' !== $screen->id && ! ( 'widgets' === $screen->id && wp_use_widgets_block_editor() ) ) {
+	// Cross-origin isolation is not needed if users can't upload files anyway.
+	if ( ! current_user_can( 'upload_files' ) ) {
 		return;
 	}
 
@@ -6569,11 +6569,6 @@ function wp_set_up_cross_origin_isolation(): void {
 		return;
 	}
 
-	// Cross-origin isolation is not needed if users can't upload files anyway.
-	if ( ! current_user_can( 'upload_files' ) ) {
-		return;
-	}
-
 	wp_start_cross_origin_isolation_output_buffer();
 }
 

tests/phpunit/tests/media/wpCrossOriginIsolation.php

@@ -89,13 +89,15 @@ public function test_returns_early_when_client_side_processing_disabled() {
 	/**
 	 * @ticket 64766
 	 */
-	public function test_returns_early_when_no_screen() {
-		// No screen is set, so it should return early.
+	public function test_returns_early_when_user_cannot_upload() {
+		$user_id = self::factory()->user->create( array( 'role' => 'subscriber' ) );
+		wp_set_current_user( $user_id );
+
 		$level_before = ob_get_level();
 		wp_set_up_cross_origin_isolation();
 		$level_after = ob_get_level();
 
-		$this->assertSame( $level_before, $level_after );
+		$this->assertSame( $level_before, $level_after, 'Output buffer should not start for users who cannot upload files.' );
 	}
 
 	/**