How to Override Content-Security-Policy of Site A while using nginx proxy_pass on Site B for serving content?

10,140

This problem seems similar to the Nginx as reverse Proxy, remove X-Frame-Options header thread on the Nginx mailing list. That solution was proxy_hide_header

By default, nginx does not pass the header fields “Date”, “Server”, “X-Pad”, and “X-Accel-...” from the response of a proxied server to a client. The proxy_hide_header directive sets additional fields that will not be passed. If, on the contrary, the passing of fields needs to be permitted, the proxy_pass_header directive can be used.

Share:
10,140

Related videos on Youtube

MeSo2
Author by

MeSo2

finding satisfaction in lean code Visit us FilmFix.com - we do exceptional film transfer work, 100% made in the U.S.A. or check us out at facebook.com

Updated on June 04, 2022

Comments

  • MeSo2
    MeSo2 over 1 year

    Is there a way to override Content-Security-Policy set by the domain/site A while i am using nginx proxy_pass on Site B.

    Site A defined Content-Security-Policy on their domain.
    Site B acts as a reverse proxy for site A.
    

    How can i override Content-Security-Policy while serve content from site B ?

    how can i achieve this in nginx proxy pass ?

    my current nginx server block looks like this

    server {
    server_name  proxy-domain.com.;
    
        location / {
          proxy_pass http://www.target-site.com/;
          proxy_set_header  Accept-Encoding ""; 
          proxy_set_header  X-Real-IP   $remote_addr;   
          proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
       }
    }
    

    i have tried adding

    add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'

    e.g.

    server {
    server_name  proxy-domain.com.;
    
        location / {
          proxy_pass http://www.target-site.com/;
          proxy_set_header  Accept-Encoding ""; 
          proxy_set_header  X-Real-IP   $remote_addr;   
          proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
       }
    add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'
    }
    

    but if i check headers of site B, then it shows modified Content-Security-Policy of site B but the content from other sources does not gets loaded., only headers are set.

    why is that ?

    update: when i check headers i get 2 Content-Security-Policy headers , first are set by site A and then later one Content-Security-Policy headers set be my i.e. site B.

    e.g.

    Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' apis.google.com www.google.com;
    Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' *.cloudflare.com;