Goal
I want to bypass same origin policy on an iframe via reverse proxy to have some javascript control over the website inside the iframe.
Problem 1
src of the iframe is set to https://example1.com/iframe-app. But this still rises same origin policy violation in the browser. So browser still sees the page inside the iframe as it does not originate from https://example1.com/ and this seems okay since if the underlying page has same origin then its ajax requests will not work.
Problem 2
So I tried using nginx sub_filter directive to inject my javascript into response html. Nothing is added to the response though. Maybe this is because the response is encrypted due to https protocol?
Question
Why sub_filter does not work and how to make it to work?
nginx Config
server {
root /var/www/example1.com/html;
index index.html index.htm index.nginx-debian.html;
server_name example1.com www.example1.com;
location / {
proxy_pass http://localhost:4000;
}
location /iframe-app {
rewrite ^/iframe-app(.*) /$1 break;
proxy_pass http://example2.com;
proxy_set_header Accept-Encoding "";
proxy_redirect off;
sub_filter '</head>' '<script>...code</script></head>';
sub_filter_once on;
sub_filter_types text/html;
}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example1.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example1.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
server {
if ($host = www.example1.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = example1.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name example1.com www.example1.com;
return 404; # managed by Certbot
}
