Reputation: 410
Handling Content Security Policy in .htaccess
I'm getting error on browser console as 'Refused to load the stylesheet 'https://xxx.xxxxxxxxx.com/web_app_assets/css/font-awesome/css/font-awesome.min.css' because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com".'
I have following settings in .htaccess - Header set Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com"
We have Web view and Mobile view for same website. If website loaded through mobile browser, we redirect to mobile domain (Which is pointing to same website folder) and we load the mobile view only, That time i get above error in console, and CSS & JS does not load.
Upvotes: 1
Views: 3881
Answers (1)
Reputation: 410
I found the issue. As we were redirecting to the mobile version domain on mobile browser, the web domain name / base path were defined in config file. So after redirection it was trying to load CSS & JS files from web domain and not from mobile domain. So we replaced the static domain name / base path (https://xxx.xxxxxxxxx.com/) to dynamic domain name ("https://".$_SERVER['SERVER_NAME']) in config file, and everything worked. Thanks.
Upvotes: 1
Related Questions
- Allow All Content Security Policy?
- how to add Content Security Policy (CSP)
- How to set right Content Security Policy with apache
- Content Security Policy bypass
- Content security policy including a script
- Implement Content Security Policy using local htaccess file (Apache)
- Content-Security-Policy doesnt work on my site?
- Content Security Policy - style-src - refuse to apply
- HTML Header Content Security Policy not reporting to file
- Applying style using JS when Content Security Policy is in effect