为什么 nginx 作为反向代理不发送 Referrer-Policy 标头?

tag-icon tag-icon nginx docker reverse-proxy http-headers
为什么 nginx 作为反向代理不发送 Referrer-Policy 标头?

一些背景信息:我正在使用 nginx 作为在 Docker 容器中运行的一堆应用程序的反向代理。

这些应用程序中有 Nextcloud (fpm),其设置页面抱怨HTTP Referrer-Policy 标头未设置为“no-referrer”尽管我的 Nextcloud 应用程序的 nginx 配置文件中有此行(在server部分中),并且其他标头也已发送。

    add_header Referrer-Policy                      "no-referrer"   always;
    add_header X-Content-Type-Options               "nosniff"       always;
    add_header X-Download-Options                   "noopen"        always;
    add_header X-Frame-Options                      "SAMEORIGIN"    always;
    add_header X-Permitted-Cross-Domain-Policies    "none"          always;
    add_header X-Robots-Tag                         "noindex, nofollow"          always;
    add_header X-XSS-Protection                     "1; mode=block" always;

以下是使用 curl 进行的一些测试:

$ curl -Il https://cloud.example.com
HTTP/2 302 
server: nginx/1.23.3
date: Wed, 13 Dec 2023 15:45:53 GMT
content-type: text/html; charset=UTF-8
location: https://cloud.example.com/login
set-cookie: oc_sessionPassphrase=foo%bar; path=/; secure; HttpOnly; SameSite=Lax
content-security-policy: default-src 'self'; script-src 'self' 'nonce-foobar='; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *; object-src 'none'; base-uri 'self';
set-cookie: __Host-nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
set-cookie: __Host-nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
set-cookie: foobar=barfoo; path=/; secure; HttpOnly; SameSite=Lax
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
strict-transport-security: max-age=15768000; includeSubDomains;
x-content-type-options: nosniff
x-download-options: noopen
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-robots-tag: noindex, nofollow
x-xss-protection: 1; mode=block

$ curl -Il -e https://cloud.example.com https://www.example.com
HTTP/2 200 
server: nginx/1.23.3
date: Wed, 13 Dec 2023 15:38:47 GMT
content-type: text/html; charset=UTF-8
x-powered-by: PHP/8.0.30
set-cookie: __wpdm_client=foobar; path=/; secure; HttpOnly
link: <https://www.example.com/wp-json/>; rel="https://api.w.org/"
link: <https://www.example.com/wp-json/wp/v2/pages/7>; rel="alternate"; type="application/json"
link: <https://www.example.com/>; rel=shortlink
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
x-download-options: noopen
x-permitted-cross-domain-policies: none

我不明白...

相关内容