search

macbre / docker-nginx-http3

Stable and up-to-date root-less nginx with quic + http/3, google brotli compression, njs, GeoIP2, and Grade A+ SSL config
https://hub.docker.com/r/macbre/nginx-http3
161 stars 53 forks source link

Content-Security-Policy blocks modals (such as window.alert() and window.print()) #72

Closed glics closed 2 years ago

glics commented 2 years ago

In nginx.conf, line 48 sets the 'Content-Security-Policy' header:

more_set_headers "Content-Security-Policy: object-src 'none'; frame-ancestors 'self'; form-action 'self'; block-all-mixed-content; sandbox allow-forms allow-same-origin allow-scripts allow-popups allow-downloads; base-uri 'self';";

This sandboxing mode doesn't include the allow-modals keyword, which results in:

Ignored call to 'alert()'. The document is sandboxed, and the 'allow-modals' keyword is not set.

when trying to call window.alert() from JS. This also applies to window.prompt() and, in my case, window.print().

Is this by design?

macbre commented 2 years ago

@glics - these "security" headers should be treated rather as an example than something opinionated. Feel free to customize them in your own nginx config file.