mirror of
https://github.com/TryGhost/Ghost.git
synced 2024-12-19 08:31:43 +03:00
ba3c26ef5c
closes https://github.com/TryGhost/Ghost/issues/11078 Problem: - the admin client makes an XHR request to the `/private/` endpoint when a private site is configured - when a separate admin URL is configured this was causing 500 errors in the admin client because missing CORS headers on the endpoint was causing browsers to abort the request - browsers will also look at the CORS headers on any resources that are the result of a redirect and abort the request if they do not allow cross-origin requests, this means allowing all requests on `/private/` is not enough Solution: - uses the `cors` middleware with a dynamic options function for the whole of the front-end site app - dynamic options function allows the following requests through: - same-origin (browsers and non-browser agents will not send an `Origin` header) - origin is `localhost` or `127.0.0.1` with any protocol and port - origin matches the configured `url` hostname+port on any protocol - origin matches the configured `admin:url` hostname+port on any protocol |
||
|---|---|---|
| .. | ||
| adapters | ||
| api | ||
| config | ||
| data | ||
| lib | ||
| models | ||
| public | ||
| services | ||
| translations | ||
| views | ||
| web | ||
| analytics-events.js | ||
| ghost-server.js | ||
| index.js | ||
| overrides.js | ||
| update-check.js | ||