Skip to content

🐛 Fixed "View site" screen in admin on private sites with separate admin url#11098

Merged
kevinansfield merged 1 commit into
TryGhost:masterfrom
kevinansfield:site-app-cors
Sep 9, 2019
Merged

🐛 Fixed "View site" screen in admin on private sites with separate admin url#11098
kevinansfield merged 1 commit into
TryGhost:masterfrom
kevinansfield:site-app-cors

Conversation

@kevinansfield
Copy link
Copy Markdown
Member

@kevinansfield kevinansfield commented Sep 9, 2019

closes #11078

Problem:

  • the admin client makes an XHR request to the /private/ endpoint when a private site is configured
  • when a separate admin URL is configured this was causing 500 errors in the admin client because missing CORS headers on the endpoint was causing browsers to abort the request
  • browsers will also look at the CORS headers on any resources that are the result of a redirect and abort the request if they do not allow cross-origin requests, this means allowing all requests on /private/ is not enough

Solution:

  • uses the cors middleware with a dynamic options function for the whole of the front-end site app
  • dynamic options function allows the following requests through:
    • same-origin (browsers and non-browser agents will not send an Origin header)
    • origin is localhost or 127.0.0.1 with any protocol and port
    • origin matches the configured url hostname+port on any protocol
    • origin matches the configured admin:url hostname+port on any protocol

@kevinansfield
🐛 Fixed "View site" screen in admin on private sites with separate ad…
d39f0e5 
…min url

closes TryGhost#11078

Problem:
- the admin client makes an XHR request to the `/private/` endpoint when a private site is configured
- when a separate admin URL is configured this was causing 500 errors in the admin client because missing CORS headers on the endpoint was causing browsers to abort the request
- browsers will also look at the CORS headers on any resources that are the result of a redirect and abort the request if they do not allow cross-origin requests, this means allowing all requests on `/private/` is not enough

Solution:
- uses the `cors` middleware with a dynamic options function for the whole of the front-end site app
- dynamic options function allows the following requests through:
  - same-origin (browsers and non-browser agents will not send an `Origin` header)
  - origin is `localhost` or `127.0.0.1` with any protocol and port
  - origin matches the configured `url` hostname+port on any protocol
  - origin matches the configured `admin:url` hostname+port on any protocol
@kevinansfield kevinansfield merged commit ba3c26e into TryGhost:master Sep 9, 2019
@kevinansfield kevinansfield deleted the site-app-cors branch September 9, 2019 16:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Unable to View Site on Admin for private sites with custom domain

1 participant

@kevinansfield