如何在站点 B 上使用 nginx proxy_pass 来提供内容时覆盖站点 A 的 Content-Security-Policy？

Question

当我在站点 B 上使用 nginx proxy_pass 时，有没有办法覆盖 domain/site A 设置的 Content-Security-Policy。

Site A defined Content-Security-Policy on their domain.
Site B acts as a reverse proxy for site A.

如何在从站点 B 提供内容时覆盖 Content-Security-Policy？

如何在 nginx 代理传递中实现此目的？

我当前的 nginx 服务器块看起来像这样

server {
server_name  proxy-domain.com.;

    location / {
      proxy_pass http://www.target-site.com/;
      proxy_set_header  Accept-Encoding ""; 
      proxy_set_header  X-Real-IP   $remote_addr;   
      proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
   }
}

我试过添加

add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'

例如

server {
server_name  proxy-domain.com.;

    location / {
      proxy_pass http://www.target-site.com/;
      proxy_set_header  Accept-Encoding ""; 
      proxy_set_header  X-Real-IP   $remote_addr;   
      proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
   }
add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'
}

但是如果我检查站点 B 的 headers，那么它会显示站点 B 的已修改 Content-Security-Policy，但不会加载来自其他来源的内容。只设置了 headers .

这是为什么？

更新： 当我检查 headers 时，我得到 2 Content-Security-Policy headers ，首先由站点 A 设置，然后 Content-Security-Policy headers 设置为我的站点 B.

例如

Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' apis.google.com www.google.com;
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' *.cloudflare.com;

Answer 1

这个问题似乎与 Nginx as reverse Proxy, remove X-Frame-Options header thread on the Nginx mailing list. That solution was proxy_hide_header

By default, nginx does not pass the header fields “Date”, “Server”, “X-Pad”, and “X-Accel-...” from the response of a proxied server to a client. The proxy_hide_header directive sets additional fields that will not be passed. If, on the contrary, the passing of fields needs to be permitted, the proxy_pass_header directive can be used.