If I go to https://example.com
, then everything is working fine. However if I go to https://www.example.com
, then none of my static files load because it says that it goes against the CSP. Thus, I’m trying to redirect all www requests to non-www.
Here is my .htaccess
code:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^$ public/ [L]
RewriteRule (.*) public/$1 [L]
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{HTTP_HOST} ^www.(.+) [NC]
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>
<IfModule mod_headers.c>
Header set Content-Security-Policy: "default-src 'self'; font-src https://fonts.gstatic.com; style-src 'self' https://fonts.googleapis.com; img-src 'self'; child-src 'none';"
...
</IfModule>
3
Answers
One of the best ways to solve this is to create a ServerAlias in your virtual host configuration in apache/httpd.
That will solve it and also some users still thinks that www is required to visit a site.
Your rules are in the wrong order (and incorrect). The canonical redirects need to go before the internal rewrites to the
/public
subdirectory (where I assume you have another.htaccess
file). As written, they are not doing anything. But also, your redirect to supposedly remove the www prefix is not doing that, but instead redirecting to the same host, which would have resulted in a redirect loop.Your rules should be written like this instead:
No need for the
<IfModule>
wrapper and the first rule (ie.RewriteRule ^$ public/
) is redundant since this would be handled by the second rule anyway.By redirecting from www to non-www (and HTTPS) first we minimise the number of canonical redirects to at most one. But this does assume you are not intending to implement HSTS.
Probably because you are referencing your "static files" using absolute URLs of the form
https://example.com/...
, notwww.example.com
.I believe that the files which are static are not hosted on the same domain (http://www.example.com vs example.com), they may be blocked by the CSP. To resolve this issue, one way might be is to your CSP so that the static files can loaded from the exact and correct location. To your guidance see this. To fix this, you can update your CSP to allow the static files to be loaded from the correct domain.
Now the images will be loaded from example.com and from the self domain as well. Additionally, you might also need to adjust the policy on where the files are hosted and accesssed.