<div dir="ltr"><span style="font-family:Roboto,"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:12.8px">I have one proxy server(nginx) - such as </span><a href="http://nginx.mycom.com/" target="_blank" style="font-family:Roboto,"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:12.8px">nginx.mycom.com</a><span style="font-family:Roboto,"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:12.8px"> and three upstream servers - </span><a href="http://name1.mycom.com/" target="_blank" style="font-family:Roboto,"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:12.8px">name1.mycom.com</a><span style="font-family:Roboto,"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:12.8px">, </span><a href="http://name2.mycom.com/" target="_blank" style="font-family:Roboto,"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:12.8px">name2.mycom.com</a><span style="font-family:Roboto,"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:12.8px"> </span><a href="http://name3.mycom.com/" target="_blank" style="font-family:Roboto,"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:12.8px">name3.mycom.com</a><span style="font-family:Roboto,"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:12.8px"> for my one application. Contents from upstream servers have a lot of iframes which have different domains. I want to allow XSS for these different domains. I don't know how to achieve XSS for this application. </span><div style="font-family:Roboto,"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:12.8px"><br></div><div style="font-family:Roboto,"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:12.8px">For instance, when contents from <a href="http://name1.mycom.com/" target="_blank">name1.mycom.com</a> has two iframes that their src are <a href="http://name1.mycom.com/content1" target="_blank">name1.mycom.com/content1</a> and <a href="http://name2.mycom.com/content2" target="_blank">name2.mycom.com/content2</a>, can I do the following to achieve XSS?</div><div style="font-family:Roboto,"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:12.8px"><br></div><div style="font-family:Roboto,"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:12.8px">(1). replace <a href="http://name1.mycom.com/content1" target="_blank">name1.mycom.com/content1</a> with <a href="http://nginx.mycom.com/content1" target="_blank">nginx.mycom.com/content1</a></div><div style="font-family:Roboto,"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:12.8px">      replace <a href="http://name2.mycom.com/content1" target="_blank">name2.mycom.com/content1</a> with <a href="http://nginx.mycom.com/content2" target="_blank">nginx.mycom.com/content2</a></div><div style="font-family:Roboto,"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:12.8px">      add_header for XSS</div><div style="font-family:Roboto,"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:12.8px">(2). When <a href="http://nginx.mycom.com/content1" target="_blank">nginx.mycom.com/content1</a> request is coming, proxy to <a href="http://name1.mycom.com/content1" target="_blank">name1.mycom.com/content1</a></div><div style="font-family:Roboto,"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:12.8px">      add_header for XSS</div><div style="font-family:Roboto,"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:12.8px">(3). When <a href="http://nginx.mycom.com/content2" target="_blank">nginx.mycom.com/content2</a> request is coming, proxy to <a href="http://name2.mycom.com/content2" target="_blank">name2.mycom.com/content2</a></div><div style="font-family:Roboto,"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:12.8px">      add_header for XSS</div><div style="font-family:Roboto,"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:12.8px"><br></div><div style="font-family:Roboto,"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:12.8px">I only have limited knowledge of Nignx. I like to use NginxScript to achieve this goal. Can I do it in Nginx. I do appreciate your suggestion and some examples.</div><div style="font-family:Roboto,"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:12.8px"><br></div><div style="font-family:Roboto,"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:12.8px">David</div></div>