I have the following conf.d/prod.conf.

  • It does not raise Refused to display 'https://v10.frontend.tech/' in a frame because it set 'X-Frame-Options' to 'sameorigin'. because of add_header Content-Security-Policy "frame-ancestors *";.

  • However, it raises an error Access to XMLHttpRequest at 'https://v10.frontend.tech/lib/functions.json' from origin 'https://excel.officeapps.live.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource..

gzip on;
gzip_proxied any;
gzip_disable "msie6";
gzip_vary on;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_min_length 256;
gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/rss+xml text/javascript application/vnd.ms-fontobject application/x-font-ttf font/opentype image/jpeg image/png image/svg+xml image/x-icon;

upstream backend {
   server 178.62.87.72:443;
}

server {
    listen              443 ssl;
    ssl_certificate     /etc/letsencrypt/live/v10.frontend.tech/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/v10.frontend.tech/privkey.pem;
    server_name v10.frontend.tech;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_session_timeout 1d;
    ssl_stapling on;
    ssl_stapling_verify on;
    add_header Strict-Transport-Security max-age=15768000;
    add_header Content-Security-Policy "frame-ancestors *";
    proxy_ssl_name "www.backend.io";
    proxy_ssl_server_name on;

    location ~ /socialLoginSuccess {
        rewrite ^ '/#/socialLoginSuccess' redirect;
    }

    location ~ /auth/(.*) {
        proxy_pass  https://backend/frontend/auth/$1?$query_string;
        proxy_set_header Host v10.frontend.tech;
    }

    location ~ ^/stripe_checkout/(.*)$ {
        return 302 https://checkout.stripe.com/pay/$1;
    }

    location ~ ^/stripe_billing/(.*)$ {
        return 302 https://billing.stripe.com/p/session/$1;
    }

    location / {
        # add_header 'Access-Control-Allow-Origin' '*';
        proxy_set_header    Host                $host;
        proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
        proxy_set_header    X-Forwarded-Proto   $scheme;
        proxy_set_header    Accept-Encoding     "";
        proxy_set_header    Proxy               "";
        proxy_pass          http://v10:8080/;

        # These three lines added as per https://github.com/socketio/socket.io/issues/1942 to remove socketio error
        proxy_http_version 1.1;
        proxy_set_header   Upgrade $http_upgrade;
        proxy_set_header   Connection "upgrade";
    }
}

If I uncomment add_header 'Access-Control-Allow-Origin' '*';,

  • it does not raise Access to XMLHttpRequest at 'https://v10.frontend.tech/lib/functions.json' from origin 'https://excel.officeapps.live.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
  • however, it raises Refused to display 'https://v10.frontend.tech/' in a frame because it set 'X-Frame-Options' to 'sameorigin'.

Does anyone know how could i set up the nginx to avoid both of the two errors?