From 42ef68857d72a767dc855613d023abbdb4dccde3 Mon Sep 17 00:00:00 2001 From: wangbo Date: Mon, 15 Jun 2026 23:11:01 +0800 Subject: [PATCH] =?UTF-8?q?fix(nginx):=20=E6=9B=B4=E6=96=B0=E4=BB=A3?= =?UTF-8?q?=E7=90=86=E9=85=8D=E7=BD=AE=E4=BB=A5=E6=94=AF=E6=8C=81=E5=BE=AE?= =?UTF-8?q?=E5=89=8D=E7=AB=AF=E6=A1=86=E6=9E=B6?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - 注释掉默认的 X-Frame-Options 头部设置 - 添加 proxy_hide_header 指令隐藏上游返回的 X-Frame-Options - 增加 CORS 相关头部配置支持跨源资源访问 - 配置 Access-Control-Allow-Origin 允许所有来源 - 添加跨域请求方法和头部字段白名单 - 设置 Cross-Origin-Resource-Policy 为跨源策略 --- easyai-proxy.conf.sample | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/easyai-proxy.conf.sample b/easyai-proxy.conf.sample index 83fe8f0..260f77a 100644 --- a/easyai-proxy.conf.sample +++ b/easyai-proxy.conf.sample @@ -36,7 +36,7 @@ server { ssl_protocols TLSv1.2 TLSv1.3; # 只启用 TLS 1.2 和 TLS 1.3 # 通用安全头部 add_header X-Content-Type-Options nosniff; - add_header X-Frame-Options "SAMEORIGIN"; + # add_header X-Frame-Options "SAMEORIGIN"; add_header X-XSS-Protection "1; mode=block"; # 用于 certbot 验证的配置 location /.well-known/acme-challenge/ { @@ -57,6 +57,15 @@ server { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $host; + + # 如果 X-Frame-Options 是上游返回的,隐藏它 + proxy_hide_header X-Frame-Options; + + # Wujie 会 fetch HTML,必须允许跨源读取 + add_header Access-Control-Allow-Origin "*" always; + add_header Access-Control-Allow-Methods "GET, HEAD, OPTIONS" always; + add_header Access-Control-Allow-Headers "Content-Type, Accept, Authorization" always; + add_header Cross-Origin-Resource-Policy "cross-origin" always; } location /api/ {