How to exclude certain pages when using an htaccess module? How to exclude certain URLs?

Question

With htaccess I am using:

<IfModule mod_headers.c>
    Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-eval'; 
    style-src 'self' 'unsafe-inline'; frame-src 'self' *.youtube.com; img-src * data:; media-src * data:; 
    report-uri /logging"
</IfModule>

However, I need to exclude all pages that contain Paypal scripts because Paypal writes into the DOM and this gets blocked by the Content-Security-Policy.

Now with htaccess I try to exclude CSP using a condition, so Paypal is not blocked anymore.

How can I exclude URLs that start with /order and /paypal?

Examples of domains:

https://www.example.com/order/checkout
https://www.example.com/paypal
https://www.example.com/paypal/check

Can I use Files or FilesMatch inside the IfModule?

Maybe like this?

<IfModule mod_headers.c>
    <FilesMatch "\(order|paypal)">
        Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src 'self' *.youtube.com; img-src * data:; media-src * data:; report-uri /logging"
    </FilesMatch>
</IfModule>

But I need the oppsite, if NOT FilesMatch.

Meanwhile I found this negative lookahead regex to exclude e.g. "order": ^((?!order).)*$ - and for "order" and "paypal" this regex should work: ^((?!order)(?!paypal).)*$

I tried it but it does not seem to work:

<IfModule mod_headers.c>
    <FilesMatch "^((?!order)(?!paypal).)*$">
        Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src 'self' *.youtube.com; img-src * data:; media-src * data:; report-uri /logging"
    </FilesMatch>
 </IfModule>

I also tried ^(?!.*(order|paypal)$).*$ without success. It shows as valid in Regex101 but does not seem to work with Apache's htaccess.

Answer 1

URLs are "domain.com/order/..." or "domainc.om/paypal/..."

As mentioned in comments, the FilesMatch directive matches against filenames only - this does not include filepaths or URLs. It would seem you are trying to exclude URLs (not files) that start with the order or paypal path segment.

You can do this using an Apache <If> expression. For example:

<If "%{REQUEST_URI} !~ m#^/(order|paypal)($|/)#">
    Header set .....
</If>

The !~ operator is a negated regex match. So, the contained Header directive is applied only when the requested URL does not match the regex.

However, whether this is applied successfully or not can still be dependent on other directives you might have in the config file. (eg. Rewriting requests to a front-controller?)

UPDATE:

You can also try matching against THE_REQUEST instead, which contains the first line of the request headers and does not change when the request is rewritten.

THE_REQUEST contains a string of the form:

GET /order/checkout HTTP/1.1

For example:

<If "%{THE_REQUEST} !~ m#^[A-Z]{3,7}\s/(order|paypal)($|/)#">
    Header set .....
</If>