Better handling of the security headers.

defaults/main.yml

@@ -93,7 +93,11 @@ nginx_cors_allowed_headers: 'Accept,Authorization,Cache-Control,Content-Type,DNT
 nginx_set_xss_protection: False
 nginx_set_content_security_options: False
 # Choiches: 'self', 'none', a list of domains
-nginx_content_security_acl:
+nginx_content_security_src_acl:
+  - "'self'"
+#  - "'none'"
+#  - '{{ ansible_domain }}'
+nginx_content_security_ancestor_acl:
   - "'self'"
 #  - "'none'"
 #  - '{{ ansible_domain }}'

templates/nginx-virthost.j2

@@ -45,6 +45,7 @@ server {
     {% endif %}
 
     {% if nginx_set_xss_protection %}
+    proxy_hide_header X-XSS-Protection;
     add_header X-XSS-Protection "1; mode=block;";
     {% endif %}
     {% if nginx_set_frame_origin %}
@@ -52,7 +53,8 @@ server {
     add_header X-Frame-Options "{{ nginx_x_frame_options }}";
     {% endif %}
     {% if nginx_set_content_security_options %}
-    add_header Content-Security-Policy "frame-ancestors{% for l in nginx_content_security_acl %} {{ l }}{% endfor %};";
+    proxy_hide_header Content-Security-Policy;
+    add_header Content-Security-Policy "frame-src{% for s in nginx_content_security_src_acl %} {{ l }}{% endfor %}; frame-ancestors{% for l in nginx_content_security_ancestor_acl %} {{ l }}{% endfor %};";
     {% endif %}
     server_tokens {{ item.server_tokens | default('off') }};
 
@@ -260,6 +262,7 @@ server {
     include /etc/nginx/snippets/nginx-server-ssl.conf;
 
     {% if nginx_set_xss_protection %}
+    proxy_hide_header X-XSS-Protection;
     add_header X-XSS-Protection "1; mode=block;";
     {% endif %}
     {% if nginx_set_frame_origin %}
@@ -267,6 +270,7 @@ server {
     add_header X-Frame-Options "{{ nginx_x_frame_options }}";
     {% endif %}
     {% if nginx_set_content_security_options %}
+    proxy_hide_header Content-Security-Policy;
     add_header Content-Security-Policy "frame-ancestors{% for l in nginx_content_security_acl %} {{ l }}{% endfor %};";
     {% endif %}
     server_tokens {{ item.server_tokens | default('off') }};