Kevin Ansfield ba3c26ef5c 🐛 Fixed "View site" screen in admin on private sites with separate admin url (#11098) ... closes https://github.com/TryGhost/Ghost/issues/11078 Problem: - the admin client makes an XHR request to the `/private/` endpoint when a private site is configured - when a separate admin URL is configured this was causing 500 errors in the admin client because missing CORS headers on the endpoint was causing browsers to abort the request - browsers will also look at the CORS headers on any resources that are the result of a redirect and abort the request if they do not allow cross-origin requests, this means allowing all requests on `/private/` is not enough Solution: - uses the `cors` middleware with a dynamic options function for the whole of the front-end site app - dynamic options function allows the following requests through: - same-origin (browsers and non-browser agents will not send an `Origin` header) - origin is `localhost` or `127.0.0.1` with any protocol and port - origin matches the configured `url` hostname+port on any protocol - origin matches the configured `admin:url` hostname+port on any protocol		2019-09-09 17:42:55 +01:00
..
admin	Migrated to use url-utils from Ghost-SDK (#10787)	2019-06-18 15:13:55 +02:00
api	Updated members service to use magic-link signin	2019-09-05 11:14:50 +08:00
shared	Switched private login brute errors to correct error status code	2019-09-09 16:02:21 +01:00
site	🐛 Fixed "View site" screen in admin on private sites with separate admin url (#11098)	2019-09-09 17:42:55 +01:00
index.js	Refactored how we require shared middlewares from web/ (#9893)	2018-09-21 16:17:11 +05:30
parent-app.js	Moved members static pages to members api URL (#10887)	2019-07-09 19:02:44 +08:00