Hello @Username1 and welcome to the forum,
I am not sure what you are trying to achieve is actually possible. Or, the maybe I understand it the other way around. Let’s start from this:
Who is “it”? I suspect the browser? Then this is where the problem lies. See, a reverse proxy hides the source of the content and pretend it was its own. So by accessing “test.localhost” you might be served the content from “test.safenet” but your reverse proxy pretends it is served “test.localhost”.
The domain-sandboxing however happens on the level of the browser, which will check the CSP headers (more information here) against the domain it is visting. And it sees that “test.locahost” is only allowed to reference to itself and other “*.safenet” domains. So if anything in there tries to connect to (for e.g.) “api.locahost” that is a clear violation of that CSP and the browser will – rightfully – complain.
Long story short, I don’t think it is possible to achieve what you want to achieve with a reverse-proxy along. You could try overwrite the response CSP headers, but I think that is a bad idea – always. And I am not sure this is even possible with nginx.