I have Apache 2.4 with these sites configured in the httpd-vhosts.conf file:
<VirtualHost *:80 *:8080 *:8084>
DocumentRoot "c:\apache_php\sites\public"
ServerName www.mydomain.com
</VirtualHost>
<VirtualHost *:80 *:8080 *:8081>
DocumentRoot "c:\apache_php\sites\shared"
ServerName shared.mydomain.com
</VirtualHost>
The shared.mydomain.com domain has a javascript file that I want to load in the www.mydomain.com/index.php with:
<script src="http://shared.mydomain.com:8081/js/file.js"></script>
I created an .htaccess file in the root of both the /public and /shared folders that contains this:
Header unset Content-Security-Policy
Header add Content-Security-Policy "script-src 'self' *.mydomain.com 'unsafe-inline' 'unsafe-eval'"
and I enabled mod_headers in the httpd.conf file:
LoadModule headers_module modules/mod_headers.so
I restarted Apache after adding the .htaccess files.
However, I keep getting:
Refused to load the script 'http://shared.mydomain.com:8081/js/file.js' because it violates the following Content Security Policy directive: "script-src 'none'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'none'". Either the 'unsafe-inline' keyword, a hash ('sha256-Ar45cH3tWULAEHfrKWcx2xAENlIAClGDIdLNu/5tKMY='), or a nonce ('nonce-...') is required to enable inline execution.
Whenever I try to load the index.php in the public site, if I look at the headers in the Inspector it says this for both the index.php file and the file.js:
Referrer Policy: strict-origin-when-cross-origin
I can't figure out where this is being set, or why the Headers in the .htaccess files aren't overriding this setting. I searched for this "Referrer Policy" in all the files in the apache folder and it didn't show up.
How can I get these errors to go away?
