location /daping/ {
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header Access-Control-Allow-Origin *;
add_header Access-Control-Allow-Credentials: true;
add_header X-Xss-Protection "1; mode=block";
alias /data/screen/html/;
add_header X-Content-Type-Options: nosniff;
#Content-Security-Policy: default-src 'self';
# index index.html index.htm;
}
HTTP响应头使用X-XSS-Protection
https://blog.csdn.net/u012280685/article/details/119455247
WEB安全防御总结一 : 响应头(X-Content-Type-Options、X-Frame-Options、X-XSS-Protection)
https://blog.csdn.net/jiongxian1/article/details/100619810
Nginx服务器中处理AJAX跨域请求的配置方法讲解
https://www.cnblogs.com/zzw1986/p/5906600.html
nginx 配置add_header 'Access-Control-Allow-Origin' '*' 依然存在跨域问题
https://blog.csdn.net/xiojing825/article/details/83383524
跨域问题
https://www.cnblogs.com/zenghui940/p/4738809.html