CCH0124 · September 18, 2023 08:09
diff --git a/NGINX-CORS+CSP.conf b/NGINX-CORS+CSP.conf
 server {
  ...
  
  add_header Content-Security-Policy "default-src 'none'";
  add_header X-Content-Security-Policy "default-src 'none'";
  add_header X-WebKit-CSP "default-src 'none'";

  add_header "Access-Control-Allow-Headers" "X-Requested-With";
  
  if ( $http_origin ~* (https?://(.+\.)?(domain1|domain2|domain3)\.(?:me|co|com)$) ) {
    set $cors "$http_origin";
  }
  
  add_header "Access-Control-Allow-Origin" "$cors";
  
  ...
 }
	server {
	...

	add_header Content-Security-Policy "default-src 'none'";
	add_header X-Content-Security-Policy "default-src 'none'";
	add_header X-WebKit-CSP "default-src 'none'";

	add_header "Access-Control-Allow-Headers" "X-Requested-With";

	if ( $http_origin ~* (https?://(.+\.)?(domain1\|domain2\|domain3)\.(?:me\|co\|com)$) ) {
	set $cors "$http_origin";
	}

	add_header "Access-Control-Allow-Origin" "$cors";

	...
	}