Sandbox issues when hosting Doxygen in a raw repository

I’m trying to host doxygen html from a Nexus 3 raw repository behind an Nginx reverse proxy but it’s failing to load properly:

Failed to read the ‘cookie’ property from ‘Document’: The document is sandboxed and lacks the ‘allow-same-origin’ flag

After trying various different combinations of removing/modifying x-frame-options and content-security-policy headers, the closest I got to progress was:

Failed to read the ‘cookie’ property from ‘Document’: Access is denied for this document

I already have “nexus.http.denyframe.enabled=false” set in etc/ which seemed to have no effect after a restart.

Hosting Doxygen directly with Nginx works fine, so it’s either an issue with the reverse proxy configuration, or the way Nexus is hosting the files.

Any ideas?

Many thanks,

Left it over night and came back and something changed because it was suddenly working…
In the end, the solution (whether or not it’s a good idea) is in fact to add allow-same-origin to the Content-Security-Policy header:

proxy_hide_header Content-Security-Policy;
add_header Content-Security-Policy "sandbox allow-forms allow-modals allow-popups allow-presentation allow-scripts allow-top-navigation allow-same-origin";

Still not sure what is doing the caching but I figure it must be either Nginx itself or the browser. The changes to the header served show up straight away after a change though so this feels like a Chrome issue.

Its not a good idea, you’re making the browser consider the content of a repository as having the same origin as Nexus itself. This protection was added to prevent content stored in the repository from making arbitrary requests to NXRM as the logged in user.

Yeah I realise that. So is this an issue with the content Doxygen has generated or is there a better solution to this problem?

Maybe there is something in Doxygen that can disable whatever its doing with cookies but I have no familiarity with the project.

Aside from that have nginx serve the only the doxygen content from a different (sub)domain and strip the header.

Okay thanks. Sounds like it’s the same issue for Javadoc too. In fact, looks like you replied to that too over on Google Groups! I don’t want to serve it from a different subdomain so I’ll have to go talk to the Doxygen guys.

Thanks again!