From d65aa087720201f31e58c2f47cd802fc479c28d9 Mon Sep 17 00:00:00 2001
From: Simon Backx <simon@ghost.org>
Date: Thu, 14 Jul 2022 09:09:53 +0200
Subject: [PATCH] Added access-control-max-age to content API preflight
 requests (#15026)

refs https://github.com/TryGhost/Team/issues/1676

- Added maxAge option to content API
- Added maxAge to members API
- Added maxAge to frontend site preflights (probably not used, but it was configured, so added to be sure)
- Added config option to change default maxAge of preflight requests
---
 core/frontend/web/middleware/cors.js            | 3 ++-
 core/server/web/api/endpoints/content/routes.js | 3 ++-
 core/server/web/api/middleware/cors.js          | 3 ++-
 core/server/web/members/app.js                  | 6 ++----
 core/shared/config/defaults.json                | 3 +++
 5 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/core/frontend/web/middleware/cors.js b/core/frontend/web/middleware/cors.js
index 4d27774d40..c4c0bf9ad1 100644
--- a/core/frontend/web/middleware/cors.js
+++ b/core/frontend/web/middleware/cors.js
@@ -13,7 +13,8 @@ function corsOptionsDelegate(req, callback) {
     const origin = req.header('Origin');
     const corsOptions = {
         origin: false, // disallow cross-origin requests by default
-        credentials: true // required to allow admin-client to login to private sites
+        credentials: true, // required to allow admin-client to login to private sites
+        maxAge: config.get('caching:cors:maxAge')
     };
 
     if (!origin || origin === 'null') {
diff --git a/core/server/web/api/endpoints/content/routes.js b/core/server/web/api/endpoints/content/routes.js
index 6b9d6ff6ca..f87c37a4a0 100644
--- a/core/server/web/api/endpoints/content/routes.js
+++ b/core/server/web/api/endpoints/content/routes.js
@@ -3,11 +3,12 @@ const cors = require('cors');
 const api = require('../../../../api').endpoints;
 const http = require('../../../../api').shared.http;
 const mw = require('./middleware');
+const config = require('../../../../../shared/config');
 
 module.exports = function apiRoutes() {
     const router = express.Router('content api');
 
-    router.use(cors());
+    router.use(cors({maxAge: config.get('caching:cors:maxAge')}));
 
     // ## Posts
     router.get('/posts', mw.authenticatePublic, http(api.postsPublic.browse));
diff --git a/core/server/web/api/middleware/cors.js b/core/server/web/api/middleware/cors.js
index bf544d5273..e96ce64bc8 100644
--- a/core/server/web/api/middleware/cors.js
+++ b/core/server/web/api/middleware/cors.js
@@ -2,9 +2,10 @@ const cors = require('cors');
 const url = require('url');
 const os = require('os');
 const urlUtils = require('../../../../shared/url-utils');
+const config = require('../../../../shared/config');
 
 let allowlist = [];
-const ENABLE_CORS = {origin: true, maxAge: 86400};
+const ENABLE_CORS = {origin: true, maxAge: config.get('caching:cors:maxAge')};
 const DISABLE_CORS = {origin: false};
 
 /**
diff --git a/core/server/web/members/app.js b/core/server/web/members/app.js
index a9d9c2ac1b..a35a12b50c 100644
--- a/core/server/web/members/app.js
+++ b/core/server/web/members/app.js
@@ -1,9 +1,7 @@
 const debug = require('@tryghost/debug')('members');
-const {URL} = require('url');
 const cors = require('cors');
 const bodyParser = require('body-parser');
 const express = require('../../../shared/express');
-const urlUtils = require('../../../shared/url-utils');
 const sentry = require('../../../shared/sentry');
 const membersService = require('../../services/members');
 const stripeService = require('../../services/stripe');
@@ -11,6 +9,7 @@ const middleware = membersService.middleware;
 const shared = require('../shared');
 const labs = require('../../../shared/labs');
 const errorHandler = require('@tryghost/mw-error-handler');
+const config = require('../../../shared/config');
 
 const commentRouter = require('../comments');
 
@@ -22,8 +21,7 @@ module.exports = function setupMembersApp() {
     membersApp.use(shared.middleware.cacheControl('private'));
 
     // Support CORS for requests from the frontend
-    const siteUrl = new URL(urlUtils.getSiteUrl());
-    membersApp.use(cors(siteUrl.origin));
+    membersApp.use(cors({maxAge: config.get('caching:cors:maxAge')}));
 
     // Currently global handling for signing in with ?token= magiclinks
     membersApp.use(middleware.createSessionFromMagicLink);
diff --git a/core/shared/config/defaults.json b/core/shared/config/defaults.json
index 7da3d5fe7e..974509baae 100644
--- a/core/shared/config/defaults.json
+++ b/core/shared/config/defaults.json
@@ -113,6 +113,9 @@
         },
         "robotstxt": {
             "maxAge": 3600000
+        },
+        "cors": {
+            "maxAge": 86400
         }
     },
     "imageOptimization": {