Hi Everyone,
I have created custom plugin for Camunda Cockpit. It shows confirm modal window to make sure that user doesn’t click a button by accident. It works fine on Camunda 7.17. Recently I’ve upgraded Camunda 7.17 → 7.20. And now modal window doesn’t work and I see error message in the browser console
Ignored call to ‘confirm()’. The document is sandboxed, and the ‘allow-modals’ keyword is not set.
And also a warning message
An iframe which has both allow-scripts and allow-same-origin for its sandbox attribute can escape its sandboxing.
@ykuzmenko You are facing this because Camunda 7.19 Onwards content security Policy has been made more stringent for security reasons. You are probably violating camunda csp.
You can refer to this documentation for details : HTTP Header Security | docs.camunda.org
Solution :
The configuration for changing CSP are documented here Process Engine Configuration | docs.camunda.org
Look for the content-security-policy-value under camunda.bpm.webapp.header-security .
If you are using Springboot based solution then you can override the CSP by using following OS environment variable (Springboot relaxed binding) :
CAMUNDA_BPM_WEBAPP_HEADERSECURITY_CONTENTSECURITYPOLICYVALUE
If you have some other distribution then configuration steps will Vary depending on that.
The changes in CSP will depend on the error you are seeing. here is one example of allow-modals in sandbox.
base-uri 'self';
script-src $NONCE 'strict-dynamic' 'unsafe-eval' https: 'self' 'unsafe-inline';
style-src 'unsafe-inline' 'self';
default-src 'self';
img-src 'self' data:;
block-all-mixed-content;
form-action 'self';
frame-ancestors 'none';
object-src 'none';
sandbox allow-modals allow-forms allow-scripts allow-same-origin allow-popups allow-downloads;