/**
 * Add a X-XSS-Protection = 0 header for post previews to allow
 * Webkit browsers to render iframe and flash objects.
 * @see: http://core.trac.wordpress.org/ticket/20148
 *
 * @param $headers array  Already added header items.
 * @param $object  WP     The query variables.
 *
 * @return array
 */
function send_no_xss_protection_header( $headers, $object ) {
	$headers['X-XSS-Protection'] = 0;
	return $headers;
}
add_filter( 'wp_headers', 'send_no_xss_protection_header', 10, 2 );