d0zingcat/ghost-docker
1
0
Fork 0
mirror of https://github.com/d0zingcat/ghost-docker.git synced 2026-05-13 15:09:34 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fixed "View site" and post previews in Ghost Admin (#60)

Browse Source 
* Fixed "View site" and post previews in Ghost Admin

ref https://linear.app/ghost/issue/ONC-1097/preview-post-does-not-work-on-separate-ghostadmin-domains
ref https://linear.app/ghost/issue/ONC-1090/oss-issue-previewing-site-from-subdomain-admin-panel-results-in

In Ghost Admin, the frontend of the site is loaded in an iframe in a few places:
- The "View site" tab on the sidebar
- In post previews

Using the default docker setup in this repository, these iframes fail to load because of the `X-Frame-Options DENY` header that is added by Caddy. This fixes the problem by replacing `X-Frame-Options DENY` with a Content Security Policy that allows the site to be embedded in an iframe on the site's domain itself and on the admin domain, if configured.

* Update SecurityHeaders

Spaces -> Tabs

---------

Co-authored-by: James Loh <git@jloh.co>
This commit is contained in:
Chris Raible
2025-08-18 12:13:11 -07:00
committed by GitHub
parent 440f5817c2
commit fb6040fd0c
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
caddy/snippets/SecurityHeaders
View File

@@ -1,12 +1,12 @@
header {
# Enable HSTS
Strict-Transport-Security max-age=31536000;
# Prevent embedding in frames
X-Frame-Options DENY
# Enable XSS protection
X-XSS-Protection "1; mode=block"
# Prevent MIME sniffing
X-Content-Type-Options nosniff
# Referrer policy
Referrer-Policy strict-origin-when-cross-origin
# Prevent embedding in external iframes
Content-Security-Policy "frame-ancestors 'self' {$ADMIN_DOMAIN:}"
}