• Resolved timholz

    (@timholz)


    Hi – today i tried to configure the CSP feature. I added a directive for script-src. It had no effect. Then i checked the .htaccess and noticed, no entry for CSP present. The next test was to disable the plugin and to check the .htaccess file. Everything related to w3tc was, as i expected, gone. But when i activated the plugin again, the .htaccess did not update at all. I had to reinstall my backup from .htaccess. What is going on here? Is there a way to tell the plugin to update .htaccess? By the way, all my custom rules are labeled with #Begin… and #End… Thanks for any info Theo

    • This topic was modified 7 months, 3 weeks ago by timholz.

    The page I need help with: [log in to see the link]

Viewing 10 replies - 1 through 10 (of 10 total)
  • Plugin Contributor Marko Vasiljevic

    (@vmarko)

    Hello @timholz

    Thank you for reaching out and I am happy to help!
    I’ve just tested this and enabled Content Security Policy in Performance>Browser Cache>Security headers and set script-src: to self
    Once I saved all settings and purged the cache I was able to see the header:
    content-security-policy:script-src ‘self’

    I can see that also when inspecting your website:

    As for the .htaccess, the W3TC does add the rules:

    <IfModule mod_headers.c>

    Header set Content-Security-Policy "script-src 'self'"

    </IfModule>
    # END W3TC Browser Cache

    As you can see just before END W3TC Browser Cache

    Can you please share your .htaccess file and what you see there in the Browser Cache section?

    Thanks!

    Thread Starter timholz

    (@timholz)

    @vmarko – thanks for responding. Yes, that’s right the csp is indeed appearing in the response headers. But unfortunately, the script-src directives, that i added in the browser cache section, is not updated in .htaccess. That’s the problem. How can i share .htaccess (it is quite big)? As for the settings in the cache section, i could provide a json file (from the export section). I could upload everthing to dropbox. By the way, exporting the plugin settings open a new browser tab and the settings are one big compressed json. That too, is a bit strange, cause in former versions the json was properly formatted and downloaded to my download folder… Thanks a lot for your interest and time. regards theo

    Plugin Contributor Marko Vasiljevic

    (@vmarko)

    Hello @timholz

    Thank you for your feedback.
    Please check the Performance>Install section of the plugin and see if those rules are there.
    You can use https://pastebin.com/ and share the link.
    As for the .json file, i tried to replicate this, however, I always get the .json file downloaded.
    So it appreas that the problem is with some browser cache or browser extensions.
    Please check other browsers and see if it works.
    Thanks!

    Thread Starter timholz

    (@timholz)

    @vmarko Hi – Thanks for responding. The json is under: https://pastebin.com/dQTdNve3 and htaccess: https://pastebin.com/cNtPyuTf As for the rules under Performance>Installer, i can see some rules, but i do not know what rules you are referring to. I tested downloading the plugin settings in various browsers. The behaviour described above is consistent. Please let me know, when you are done with viewing the files in pastebin. regards theo

    Thread Starter timholz

    (@timholz)

    @vmarko hi – i checked with another site in dev-mode and encountered similar problems. The .htaccess is not updated when changing the settings. I also tried altering the settings ?with all in one wordpress security? plugin disabled. Same result. Exporting the plugin settings however worked well. regards theo

    Plugin Contributor Marko Vasiljevic

    (@vmarko)

    Hello @timholz

    Thank you for sharing this.

    I can see the Header set Content-Security-Policy “script-src ‘self'” in your .htaccess that is commented out with the #
    It appears taht you are using some other plugin or some custom rules for security headers and that is creating some kind of conflict.
    Are you using anything else besides W3TC to set this up?

    Thanks!

    Thread Starter timholz

    (@timholz)

    @vmarko Hi -thanks for the message. Yes, it has # before that line, but that was me, not a plugin, who wrote that sign. The transfer from the plugin settings to htaccess is not happening, that’s why i altered it manually. The problem persists, i reinstalled w3tc, disabled the security plugin, but it stays the same. htaccess is not changing… bye bye

    Plugin Contributor Marko Vasiljevic

    (@vmarko)

    Hello @timholz

    The other W3TC rules are added as you can see in the .htaccess you shared.
    So please let me know when you enable those in the security settings, do you see those rules applied in the Performance>Install section
    It should look something like this depending on the settings:

    Thanks!

    Thread Starter timholz

    (@timholz)

    @vmarko Hi – i do not enable anything in the security plugin. I just disabled the plugin to check any interference with w3tc. And yes, the rules are present under performance>install. As i said, the problem persists not only with one website, but rather several. So, inspite of the great performance of w3tc, i can’t help but thinking of a new way. The plugin settings are not communicating with htaccess. Have a nice evening

    Thread Starter timholz

    (@timholz)

    @vmarko Hi

    final test:

    1. Disable all features in general settings > .htaccess does not reflect any change
    2. Disable w3tc plugin > .htaccess reflects this. Everything related to w3tc is erased
    3. Enable w3tc plugin > .htaccess does not reflect this action. No w3tc rules present in .htaccess
    4. Delete w3tc; also delete all tables with w3tc in database
    5. Install w3tc and import settings previously exported > save settings and purge all caches > .htaccess does not reflect this, no w3tc rules present.
    6. Conclusion > Apparently there is a communication problem with .htaccess or no resource for retrieving w3tc rules is available
      Thanks
      regards theo
Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘.htaccess is not updated’ is closed to new replies.