How to fix Blocked a frame with origin "" from accessing a cross-origin frame for Nginx/Nexus reverse proxy

Greetings! I’m relatively new to Nginx and have encountered a challenge that requires some assistance. I have Nexus deployed in a Kubernetes cluster with serviceType=LoadBalancer accessible at http://node-ip:30001, and it’s functioning smoothly.

Now, I’m aiming to run Nexus behind a reverse proxy using Nginx, accessible at To achieve this, I’ve configured the proxy with the following

server {
    listen 80;
    return 301 https://$host$request_uri;

server {
    listen 443 ssl;

    modsecurity on;
    modsecurity_rules_file /etc/nginx/modsecurity/modsecurity.conf;

    ssl_certificate /etc/nginx/ssl/public.pem;
    ssl_certificate_key /etc/nginx/ssl/private.key;

    rewrite ^(/.*)\.html(\?.*)?$ $1$2 redirect;
    rewrite ^/(.*)/$ /$1 redirect;

    location / {
        proxy_pass http://node-ip:30001;
        add_header X-Frame-Options "ALLOWALL";
        add_header Content-Security-Policy "frame-ancestors 'self' *";
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Real_IP $remote_addr;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        add_header 'Access-Control-Allow-Origin' '*' always;

    error_page 404 /404.html;
    error_page 500 501 502 503 504 /50x.html;

With the provided configuration, I can access Nexus, however, it returns the following error:

Uncaught SecurityError: Failed to read a named property 'document' from 'Window': Blocked a frame with origin "" from accessing a cross-origin frame. (

I’m seeking insights into what might be missing or incorrectly configured. Any thoughts or suggestions?

Hi, similar issues here…

We have Nexus running as a full on-premises installation using IIS reverse proxy.
This is running for years, but now we also see the above error.

I guess it is because of a recent browser security update which is highlighting use of deprecated functions:

[…] (using the ‘document.domain’ setter) is deprecated because it undermines the security protections […]