Unfortunately, there really isn’t a way to do what you’re asking. When the user visits yoursite.com/masked-page, your website is making a request to masked-page.com, so those headers will be the ones that are sent along.
There isn’t a way to pass the user’s request headers straight through to the masked-page.com because there’s no way to validate the User’s headers as a traditional request because TCP relies on a 3-way handshake. (this would require yoursite.com to pass the User’s headers (IP address, User-Agent, etc) along, but this could all be spoofed.
So really, the way I see it, is there are 3 ways to do what you’re asking.
1 – If you edit the page and go down to the “Content Mask Settings” meta box, you can place a small invisible iframe in the “Footer Scripts” section: <iframe style="width:1px;height:1px;opacity:0;visibility:hidden;pointer-events:none;position:absolute;z-index:-2;" src="https://url-to-mask.com"></iframe>. This would introduce a small, invisible iframe into the code. The source code displayed to the user would still be from the download method, but that hidden iframe would complete a traditional HTTP request for the user, including their current IP Address, user agent, cookies, etc.
2 – Use the Iframe method. The Iframe method is designed to be a full screen, scrolling iframe matched to the size of the window, so it acts like the website that’s being masked. The only way to tell that the content is being iframed is to inspect the source code – but when used properly and with content you have license to mask, this shouldn’t be an issue. It doesn’t look like an iframe to the end-user.
3 – I could look at building in another option that would pass the Headers and Server variables in a simple cURL POST request. This would require custom programming on my end in the plugin, as well as on your end (assuming you control the website that’s being masked, not just the one that has Content Mask installed) so you could parse the POST request and do what you wish with those variables.
