Closed benchonaut closed 1 year ago
Hello @benchonaut,
With 1.5.1 release, you can now use the KEEP_UPSTREAM_HEADERS
setting to list headers coming from upstream that you want to keep. Default value is set to Content-Security-Policy Permissions-Policy Feature-Policy X-Frame-Options
.
Thanks for your issue.
Description
Content-Security-Policy is not set via map , also x-content-security-policy etc. are missing Also one cannot set it from the webserver behing bunkerized nginx.
How to reproduce
start it with a site that has Content-Security-Policy / X-Content-Security-Policy you cannot open target="_blank" pages due to sandbox in CSP even when sending correct headers from upstream
Example image of Firefox
Firefox will fetch the contents due to browser console of your
_blank
target but not show it , instead "Blocked Page"(here in german "Blockierte Seite") will appearLogs
(none, your browser will e.g. show blocked page or misbehave when you expect to have content-security-policy from your backend )
Fix
(
To fix it
( be careful , this one has a very open default CSP since you should send these headers from your framework ) you would need a map setup similiar to the one here: https://gitlab.com/the-foundation/flying-docker-compose-letsencrypt-nginx-proxy-companion/-/blob/master/nginx.tmpl.behindproxy#L406 https://gitlab.com/the-foundation/flying-docker-compose-letsencrypt-nginx-proxy-companion/-/blob/master/nginx.conf#L49
put in nginx.conf
and then in your server or location context:
)