diff --git a/docs/example.nginx.conf b/docs/example.nginx.conf index 14a3d4fc2..817b20527 100644 --- a/docs/example.nginx.conf +++ b/docs/example.nginx.conf @@ -90,7 +90,7 @@ server { set $styleSrc "'unsafe-inline' 'self' ${main_domain}"; # connect-src restricts URLs which can be loaded using script interfaces - set $connectSrc "'self' https://${main_domain} ${main_domain} https://${api_domain} blob: wss://${api_domain} ${api_domain} ${files_domain}"; + set $connectSrc "'self' https://${main_domain} ${main_domain} https://${api_domain} blob: wss://${api_domain} ${api_domain} ${files_domain} https://${sandbox_domain}"; # fonts can be loaded from data-URLs or the main domain set $fontSrc "'self' data: ${main_domain}"; @@ -124,6 +124,7 @@ server { # everything except the sandbox domain is a privileged scope, as they might be used to handle keys if ($host != $sandbox_domain) { set $unsafe 0; } + if ($uri ~ ^\/unsafeiframe\/inner\.html.*$) { set $unsafe 1; } # privileged contexts allow a few more rights than unprivileged contexts, though limits are still applied if ($unsafe) {