I’m trying to host doxygen html from a Nexus 3 raw repository behind an Nginx reverse proxy but it’s failing to load properly:
Failed to read the ‘cookie’ property from ‘Document’: The document is sandboxed and lacks the ‘allow-same-origin’ flag
After trying various different combinations of removing/modifying x-frame-options and content-security-policy headers, the closest I got to progress was:
Failed to read the ‘cookie’ property from ‘Document’: Access is denied for this document
I already have “nexus.http.denyframe.enabled=false” set in etc/nexus.properties which seemed to have no effect after a restart.
Hosting Doxygen directly with Nginx works fine, so it’s either an issue with the reverse proxy configuration, or the way Nexus is hosting the files.
Left it over night and came back and something changed because it was suddenly working…
In the end, the solution (whether or not it’s a good idea) is in fact to add allow-same-origin to the Content-Security-Policy header:
Still not sure what is doing the caching but I figure it must be either Nginx itself or the browser. The changes to the header served show up straight away after a change though so this feels like a Chrome issue.
Its not a good idea, you’re making the browser consider the content of a repository as having the same origin as Nexus itself. This protection was added to prevent content stored in the repository from making arbitrary requests to NXRM as the logged in user.
Okay thanks. Sounds like it’s the same issue for Javadoc too. In fact, looks like you replied to that too over on Google Groups! I don’t want to serve it from a different subdomain so I’ll have to go talk to the Doxygen guys.