How to Override Content-Security-Policy of Site A while using nginx proxy_pass on Site B for serving content?

问题

Is there a way to override Content-Security-Policy set by the domain/site A while i am using nginx proxy_pass on Site B.

Site A defined Content-Security-Policy on their domain.
Site B acts as a reverse proxy for site A.

How can i override Content-Security-Policy while serve content from site B ?

how can i achieve this in nginx proxy pass ?

my current nginx server block looks like this

server {
server_name  proxy-domain.com.;

    location / {
      proxy_pass http://www.target-site.com/;
      proxy_set_header  Accept-Encoding ""; 
      proxy_set_header  X-Real-IP   $remote_addr;   
      proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
   }
}

i have tried adding

add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'

e.g.

server {
server_name  proxy-domain.com.;

    location / {
      proxy_pass http://www.target-site.com/;
      proxy_set_header  Accept-Encoding ""; 
      proxy_set_header  X-Real-IP   $remote_addr;   
      proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
   }
add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'
}

but if i check headers of site B, then it shows modified Content-Security-Policy of site B but the content from other sources does not gets loaded., only headers are set.

why is that ?

update: when i check headers i get 2 Content-Security-Policy headers , first are set by site A and then later one Content-Security-Policy headers set be my i.e. site B.

e.g.

Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' apis.google.com www.google.com;
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' *.cloudflare.com;

回答1:

This problem seems similar to the Nginx as reverse Proxy, remove X-Frame-Options header thread on the Nginx mailing list. That solution was proxy_hide_header

By default, nginx does not pass the header fields “Date”, “Server”, “X-Pad”, and “X-Accel-...” from the response of a proxied server to a client. The proxy_hide_header directive sets additional fields that will not be passed. If, on the contrary, the passing of fields needs to be permitted, the proxy_pass_header directive can be used.

来源：https://stackoverflow.com/questions/33300111/how-to-override-content-security-policy-of-site-a-while-using-nginx-proxy-pass-o