Tag Name: v4.48.7
Release Date: 11/4/2022
GhostOpen-source publishing platform specifically designed for professional bloggers and publications. Focuses on clean, minimalist writing and publishing experience.
Ghost v4.48.7 introduces important CORS handling improvements that fix potential caching issues with cross-origin requests. This release adds proper Vary: Origin headers to both Admin API and Frontend responses, ensuring that CORS requests are correctly cached based on their origin. The update is particularly important for Ghost installations behind caching proxies or CDNs.
Vary: Origin headers for OPTIONS requestsNo migration steps are required for this release. The CORS handling improvements are applied automatically when you upgrade to v4.48.7.
This release is recommended for all Ghost users, especially those running Ghost behind caching proxies, CDNs, or those who rely on cross-origin requests to their Ghost installation. The CORS fixes address important caching behavior that could affect API functionality.
Fixed CORS header handling in Admin API: Added proper Vary: Origin header values for OPTIONS requests to ensure correct caching of CORS responses in shared caches and CDNs.
Fixed CORS header handling in Frontend: Implemented the same Vary: Origin header for OPTIONS requests on frontend endpoints to properly bucket "allowed CORS" and "disallowed CORS" responses.
Fixed CORS vary header modification: Modified the CORS middleware to only set the 'Vary' header with 'Origin' value when processing OPTIONS requests, preventing header leakage to other parts of the request pipeline.
Improved CORS middleware unit tests: Updated tests to properly use the OPTIONS request method, ensuring test coverage for the actual CORS handling logic used in production.
No new features were introduced in this release. This update focuses exclusively on fixing CORS-related issues.
While not explicitly labeled as security fixes, the CORS improvements in this release address potential security concerns related to cross-origin resource sharing. Proper implementation of the Vary: Origin header helps prevent cache poisoning scenarios where CORS responses might be incorrectly served across different origins.
This release doesn't include specific performance improvements, but the CORS-related fixes will improve caching efficiency for cross-origin requests, potentially resulting in better performance for sites using CDNs or caching proxies.
Ghost v4.48.7 focuses on fixing CORS (Cross-Origin Resource Sharing) handling issues that could affect sites using caching proxies or CDNs. By properly implementing the Vary: Origin header for OPTIONS requests in both the Admin API and Frontend, this release ensures that CORS responses are correctly cached based on their origin.
This is particularly important for Ghost installations that:
The fixes prevent scenarios where cached CORS responses might be incorrectly served across different origins, which could lead to API access issues or frontend functionality problems. While this is a minor release with focused changes, it addresses an important aspect of web standards compliance and proper HTTP caching behavior.
This release contains fixes for minor bugs and issues reported by Ghost users.
View the changelog for full details:
🪄 Love open source? We're hiring JavaScript Engineers to work on Ghost full-time
