Infrastructure/ghost
0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2025-01-20 22:42:53 -05:00
Code Issues Activity

Added access-control-max-age to content API preflight requests (#15026)

Browse source 
refs https://github.com/TryGhost/Team/issues/1676

- Added maxAge option to content API
- Added maxAge to members API
- Added maxAge to frontend site preflights (probably not used, but it was configured, so added to be sure)
- Added config option to change default maxAge of preflight requests
This commit is contained in:
Simon Backx 2022-07-14 09:09:53 +02:00 committed by GitHub
parent 000fc98f24
commit d65aa08772
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 11 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
core/frontend/web/middleware/cors.js
View file

@ -13,7 +13,8 @@ function corsOptionsDelegate(req, callback) {
const origin = req.header('Origin');
const corsOptions = {
origin: false, // disallow cross-origin requests by default
credentials: true // required to allow admin-client to login to private sites
credentials: true, // required to allow admin-client to login to private sites
maxAge: config.get('caching:cors:maxAge')
};
if (!origin || origin === 'null') {

3
core/server/web/api/endpoints/content/routes.js
View file

@ -3,11 +3,12 @@ const cors = require('cors');
const api = require('../../../../api').endpoints;
const http = require('../../../../api').shared.http;
const mw = require('./middleware');
const config = require('../../../../../shared/config');
module.exports = function apiRoutes() {
const router = express.Router('content api');
router.use(cors());
router.use(cors({maxAge: config.get('caching:cors:maxAge')}));
// ## Posts
router.get('/posts', mw.authenticatePublic, http(api.postsPublic.browse));

3
core/server/web/api/middleware/cors.js
View file

@ -2,9 +2,10 @@ const cors = require('cors');
const url = require('url');
const os = require('os');
const urlUtils = require('../../../../shared/url-utils');
const config = require('../../../../shared/config');
let allowlist = [];
const ENABLE_CORS = {origin: true, maxAge: 86400};
const ENABLE_CORS = {origin: true, maxAge: config.get('caching:cors:maxAge')};
const DISABLE_CORS = {origin: false};
/**

6
core/server/web/members/app.js
View file

@ -1,9 +1,7 @@
const debug = require('@tryghost/debug')('members');
const {URL} = require('url');
const cors = require('cors');
const bodyParser = require('body-parser');
const express = require('../../../shared/express');
const urlUtils = require('../../../shared/url-utils');
const sentry = require('../../../shared/sentry');
const membersService = require('../../services/members');
const stripeService = require('../../services/stripe');
@ -11,6 +9,7 @@ const middleware = membersService.middleware;
const shared = require('../shared');
const labs = require('../../../shared/labs');
const errorHandler = require('@tryghost/mw-error-handler');
const config = require('../../../shared/config');
const commentRouter = require('../comments');
@ -22,8 +21,7 @@ module.exports = function setupMembersApp() {
membersApp.use(shared.middleware.cacheControl('private'));
// Support CORS for requests from the frontend
const siteUrl = new URL(urlUtils.getSiteUrl());
membersApp.use(cors(siteUrl.origin));
membersApp.use(cors({maxAge: config.get('caching:cors:maxAge')}));
// Currently global handling for signing in with ?token= magiclinks
membersApp.use(middleware.createSessionFromMagicLink);

3
core/shared/config/defaults.json
View file

@ -113,6 +113,9 @@
},
"robotstxt": {
"maxAge": 3600000
},
"cors": {
"maxAge": 86400
}
},
"imageOptimization": {