no issue
- browsers now block cross-origin cookies unless they are explicitly set with `SameSite=none` and `Secure=true` options which was preventing the login request made by Ghost-Admin from working
- added an explicit `SameSite=none` option to the private site session cookie
- will only work when the front-end site is served over HTTPS - there's no way to get browsers to accept cross-origin cookies over HTTP
no issue
- Sentry flagged up a redirect URL for the POST action of accessing a
private site which would throw a 500
- `decodeURIComponent` would throw an error if it was passed bad data
- this commit moves the `decodeURIComponent` inside the try-catch to
handle the error
refs #10790
- Moved /core/apps into core/frontend
- Moved /core/server/helpers to /core/frontend/helpers along with /core/server/services/themes
- Changed helper location in overrides
- Moved /core/server/services/routing to /core/frontend/services
- Moved /core/server/services/url to /core/frontend/services
- Moved /core/server/data/meta to /core/frontend/meta
- Moved /core/server/services/rss to /core/frontend/services
- Moved /core/server/data/xml to /core/frontend/services
