Unable to "Export your content" on multiple browsers

[PaszaVonPomiot]

Issue Summary

I'm not able to export content on Chrome, Comodo Dragon and Edge. It works only on Firefox.
I tried in incognito mode and after clearing cache, cookies etc. with no luck. No error message appears on ghost side. Chrome starts the download but it fails with network error, Edge doesn't even start. Firewalls and antiviruses disable. Tested in incognito as well. Can you replicate this error on your computers?

Steps to Reproduce

1. Setup ghost beta1 with nginx and SSL from certbot
2. Try to export content on Chrome, Comodo Dragon or Edge

Technical details:

• Ghost Version: beta1.0
• Node Version: v6.11.0
• OS: Centos 7.3 + nginx + SSL
• Database: MariaDB

[kirrg001]

Hey @PaszaVonPomiot 👋

Thanks again for your reports.

it fails with network error

Could you please provide the details for the network error?

[kirrg001]

@PaszaVonPomiot ping

[PaszaVonPomiot]

@kirrg001 in Chrome console I've got this:

Refused to display 'https://www.domena.pl/ghost/api/v0.1/db/?access_token=pmZpLJYOkJ…SxFmAslckvnHxlCoQDHQoDw6qpmoQstYtZcVeZd6yascP6uCHMY14OHLoeEvH6gP1nWrLNTQ3u' in a frame because it set 'X-Frame-Options' to 'deny'.vendor.min-56d2d0ba2fb8afe28f7dd921a688a927.js:9 
GET https://www.domena.pl/ghost/api/v0.1/db/?access_token=pmZpLJYOkJ…SxFmAslckvnHxlCoQDHQoDw6qpmoQstYtZcVeZd6yascP6uCHMY14OHLoeEvH6gP1nWrLNTQ3u net::ERR_BLOCKED_BY_RESPONSE

[PaszaVonPomiot]

In Edge I've got this with "pending" status:

https://domena.pl/ghost/api/v0.1/db/?access_token=2o8JADd357cwvQqGk2HCKakNQ1lAcctdsFqH10dUqdmZZJbMayLFaSv1sp6VoWQXmGR81tAbYlxRd21coB0Q4QsZxVNmwNFZe8KSc62pndyv30FCEARgRJKpahxX7PusUwhgIAIc28Am5mSbyMnA2ucILisS06XrnIRGkUJeBfsioEO5DeRQ2pN2yW1lIua		GET	null			0 s	document

[PaszaVonPomiot]

Okay, so if I copy the request URL and paste it manually to address bar it works on every browser. But doesn't work when I click the export button.

This is the URL I used:
https://domena.pl/ghost/api/v0.1/db/?access_token=2o8JADd357cwvQqGk2HCKakNQ1lAcctdsFqH10dUqdmZZJbMayLFaSv1sp6VoWQXmGR81tAbYlxRd21coB0Q4QsZxVNmwNFZe8KSc62pndyv30FCEARgRJKpahxX7PusUwhgIAIc28Am5mSbyMnA2ucILisS06XrnIRGkUJeBfsioEO5DeRQ2pN2yW1lIua

[kirrg001]

because it set 'X-Frame-Options' to 'deny'

It looks you have configured X-Frame-Options in your htaccess file or apache/nginx?
This is a server side configuration and should be unrelated to Ghost.

I am not able to reproduce, can you please swing by our slack channel and
ask in the help channel? Thanks 👋!

[PaszaVonPomiot]

Okay that's correct - in nginx.conf there was:
add_header X-Frame-Options DENY;

I fixed it without harm in https://www.ssllabs.com test results by changing it to:
add_header X-Frame-Options SAMEORIGIN;

Thanks for solving this one!

[ErisDS]

@kirrg001 I believe this issue needs to be reopened.

I have two blogs:

one is running 0.11.9, installed using DO's 1-click image
the other is running 10.0.0-beta.1, installed using ghost-cli

They are both installed on single DO droplets based on ubuntu 16.04
nginx version: nginx/1.10.0 (Ubuntu)

Both of them have the default nginx.conf file, with the singular exception of the addition of the line

client_max_body_size 50m;
after
types_hash_max_size 2048;

(Note: need to raise a question in Ghost-cli about client_max_body_size, either needs to be added or documented)

There is nothing resembling add_header or X-Frame-Options in the nginx.conf file, or the individual virtual hosts on either blog/droplet.

On the 0.11.9 blog, I can export.
On the 1.0.0-beta.1 blog, I cannot export

Refused to display 'https://<blogurl>/ghost/api/v0.1/db/?access_token=xkJgFW6To0bppnZ28lk…L9HUaSFfTjiZIWKn5PZpxE3vHT3KjH8teeclnUaR5g4jUBLKSNQs8trIsfUMg4QXYebQiIlOMk' in a frame because it set 'X-Frame-Options' to 'deny'.
vendor.min-56d2d0ba2fb8afe28f7dd921a688a927.js:9 GET https://<blogurl>/ghost/api/v0.1/db/?access_token=xkJgFW6To0bppnZ28lk…L9HUaSFfTjiZIWKn5PZpxE3vHT3KjH8teeclnUaR5g4jUBLKSNQs8trIsfUMg4QXYebQiIlOMk net::ERR_BLOCKED_BY_RESPONSE

It seems that something has changed in the alpha. It could still be that I am missing some config that the DO image has, but that seems unlikely because a) I can't see it and b) I haven't seen people raise this issue, whereas the client max body config issue gets mentioned all the time.

I don't know if this needs a fix, or if we need to add extra handling to ghost-cli/documentation, but it seems very odd to me that this is suddenly happening now and wasn't before.

[kirrg001]

Interesting. I just found this https://github.com/TryGhost/Ghost-CLI/blob/master/lib/services/nginx/files/ssl-params.conf#L12. Looks like the CLI sets this when enabling ssl. I would suggest to move this issue over to the CLI 👍

[ErisDS]

Good find! 🎣 OK will do 👍