Preview post and visit site do not work (Ghost 6.0 container)

Bugs
1

Issue Summary

  • When I either (a) click on “visit site” or, (b) after composing a new post, click preview, instead of the site/formatted post I instead see a blank page with an error icon, and the text “eldraeverse.com refused to connect”. Looking at the console, I see the fuller error message “Refused to display ‘https://eldraeverse.com/’ in a frame because it set ‘X-Frame-Options’ to ‘deny’.
  • FYI, I am using “admin.eldraeverse.com” as an admin domain on this install.
  • Visiting sites and previews to work correctly.

Steps to Reproduce

  1. Install Ghost 6.0 using the docker container method, and specifying an admin domain, as per the documentation.
  2. Bring up the admin pages in your web browser.
  3. Select “Visit site” from the left-hand menu.

Setup information

Ghost Version
Ghost 6.0 (self-hosted in Docker)

Node.js Version
Not applicable to docker install.

How did you install Ghost?
Using the container install procedure as per the documentation.

Specific container versions as follows:

fa1cf15c8dd2   caddy:2.10.0-alpine                  "caddy run --config …"   2 days ago   Up 2 days             0.0.0.0:80->80/tcp, [::]:80->80/tcp, 0.0.0.0:443->443/tcp, [::]:443->443/tcp, 443/udp, 2019/tcp   ghost-caddy-1
08c8966e0226   ghost:6-alpine                       "docker-entrypoint.s…"   2 days ago   Up 46 hours           0/tcp, 2368/tcp                                                                                   ghost-ghost-1
a331dfc5b6bf   ghcr.io/tryghost/activitypub:1.0.1   "docker-entrypoint.s…"   2 days ago   Up 2 days             8080/tcp                                                                                          ghost-activitypub-1
beef8d1a76ec   mysql:8.0.42                         "docker-entrypoint.s…"   2 days ago   Up 2 days (healthy)   3306/tcp, 33060/tcp                                                                               ghost-db-1

Provide details of your host & operating system
Debian bookworm (12), hosted on a DigitalOcean droplet.

Database type
MySQL 8

Browser & OS version
Windows 11, Microsoft Edge 139.0.3405.73

2

I’m guessing your caddyfile has import snippets/SecurityHeaders. And that isays:


header {
	# Enable HSTS
	Strict-Transport-Security max-age=31536000;
	# Prevent embedding in frames
	X-Frame-Options DENY
	# Enable XSS protection
	X-XSS-Protection "1; mode=block"
	# Prevent MIME sniffing
	X-Content-Type-Options nosniff
	# Referrer policy
	Referrer-Policy strict-origin-when-cross-origin
}

So… you can try commenting out that line. Or better yet, replace it with ALLOW-FROM, or some content-security-policy headers instead. Here’s some good reading:

3

I had the same problem. Installing with Docker and having a separate admin domain, I wasn’t able to view site or make use of the previews because of the same “refused to connect” issue.

Going off of @Cathy_Sarisky , I changed the X-Frame-Options from DENY to ”allow-from https://admin.mydomain.com”. I don’t know if this is the correct answer, but it at least worked. I had originally tried SAMEORIGIN but that didn’t work since it wasn’t technically the same.

3 Likes
4

@themadcodger ‘s solution worked for me as a workaround, but I believe this still qualifies as a bug which will affect everyone who tries to use ADMIN_DOMAIN per the documentation, and also because the workaround will need reapplying every time Ghost is updated, as the SecurityHeaders snippet isn’t one of the two user-configuration files and will be overwritten by a new git pull.

1 Like
5

Oh, agreed. I flagged it for the dev team. :)

2 Likes