ghost 4.48.6 → 4.48.7

package/core/frontend/web/middleware/cors.js

@@ -53,4 +53,22 @@ function corsOptionsDelegate(req, callback) {
     callback(null, corsOptions);
 }
 
-module.exports = cors(corsOptionsDelegate);
+/**
+ *
+ * @param {Express.Request} req
+ * @param {Express.Response} res
+ * @param {Function} next
+ */
+const handleCaching = (req, res, next) => {
+    const method = req.method && req.method.toUpperCase && req.method.toUpperCase();
+    if (method === 'OPTIONS') {
+        // @NOTE: try to add native support for dynamic 'vary' header value in 'cors' module
+        res.vary('Origin');
+    }
+    next();
+};
+
+module.exports = [
+    handleCaching,
+    cors(corsOptionsDelegate)
+];

package/core/server/web/api/middleware/cors.js

@@ -64,7 +64,7 @@ function getAllowlist() {
  * @param  {Function} cb  callback that configures CORS.
  * @return {null}
  */
-function handleCORS(req, cb) {
+function corsOptionsDelegate(req, cb) {
     const origin = req.get('origin');
 
     // Request must have an Origin header
@@ -80,4 +80,22 @@ function handleCORS(req, cb) {
     return cb(null, DISABLE_CORS);
 }
 
-module.exports = cors(handleCORS);
+/**
+ *
+ * @param {Express.Request} req
+ * @param {Express.Response} res
+ * @param {Function} next
+ */
+const handleCaching = (req, res, next) => {
+    const method = req.method && req.method.toUpperCase && req.method.toUpperCase();
+    if (method === 'OPTIONS') {
+        // @NOTE: try to add native support for dynamic 'vary' header value in 'cors' module
+        res.vary('Origin');
+    }
+    next();
+};
+
+module.exports = [
+    handleCaching,
+    cors(corsOptionsDelegate)
+];

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ghost",
-  "version": "4.48.6",
+  "version": "4.48.7",
   "description": "The professional publishing platform",
   "author": "Ghost Foundation",
   "homepage": "https://ghost.org",