mirror of
https://github.com/TryGhost/Ghost.git
synced 2025-02-03 23:00:14 -05:00
ba3c26ef5c
closes https://github.com/TryGhost/Ghost/issues/11078 Problem: - the admin client makes an XHR request to the `/private/` endpoint when a private site is configured - when a separate admin URL is configured this was causing 500 errors in the admin client because missing CORS headers on the endpoint was causing browsers to abort the request - browsers will also look at the CORS headers on any resources that are the result of a redirect and abort the request if they do not allow cross-origin requests, this means allowing all requests on `/private/` is not enough Solution: - uses the `cors` middleware with a dynamic options function for the whole of the front-end site app - dynamic options function allows the following requests through: - same-origin (browsers and non-browser agents will not send an `Origin` header) - origin is `localhost` or `127.0.0.1` with any protocol and port - origin matches the configured `url` hostname+port on any protocol - origin matches the configured `admin:url` hostname+port on any protocol |
||
|---|---|---|
| .. | ||
| client@eb4ff95383 | ||
| frontend | ||
| server | ||
| test | ||
| index.js | ||