Re: sitemap.xml с и без www (source)

This is a comment on sitemap.xml с и без www, posted by WikiAdmin at 11/27/2025 17:21
View source for Re: sitemap.xml с и без www

Cause:
  * ##Referrer-Policy: strict-origin-when-cross-origin## violation
  * %%
sitemap.xml:2 Unsafe attempt to load URL https://www.example.com/theme/_common/sitemap.xsl from frame with URL https://example.com/xml/sitemap.xml. Domains, protocols and ports must match.
sitemap.xml:1 [Deprecation] crbug.com/435623334: This page uses XSLT, which being considered for removal from the web. If that happens, it is possible that this page will need to be updated to maintain functionality.
%%
  * In other words ##~https://www.example.com## won't load ##~https://example.com## links or vice versa with ##strict-origin-when-cross-origin## policy in place, ((/Dev/Guidelines/SecurityHeaders Security Header)) issue that affects CSP and Referrer-Policy.

Solution:
  * ease Referrer-Policy in Admin panel (probably not a good idea)
    * https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Referrer-Policy
  * change URL for sitemap.xsl to ##/theme/_common/sitemap.xsl##
    * %%<?xml-stylesheet type="text/xsl" href="/theme/_common/sitemap.xsl"?>%%
    * %%(hl diff)diff --git a/src/class/feed.php b/src/class/feed.php
index 39add03..a7f9f1f 100644
--- a/src/class/feed.php
+++ b/src/class/feed.php
@@ -311,7 +311,7 @@
 		$xml  = '<?xml version="1.0" encoding="utf-8"?>' . "\n";
 		$xml .= $this->engine->db->xml_sitemap_gz
 				? ''
-				: '<?xml-stylesheet type="text/xsl" href="' . $this->engine->db->base_url . Ut::join_path(THEME_DIR, '_common/sitemap.xsl') . '"?>' . "\n";
+				: '<?xml-stylesheet type="text/xsl" href="' . $this->engine->db->base_path . Ut::join_path(THEME_DIR, '_common/sitemap.xsl') . '"?>' . "\n";
 		$xml .= '<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">' . "\n";
 
 		if ($pages)
%%
    * Does this work, can I merge? 

To make matters worse, I have my own redirect zoo in root mainly to redirect www. and legacy locations.
There are similar issues with ##canonical## URLs on regarding the ##www.## prefix.

To completely disable the www prefix in URLs on an Apache server, you must configure a redirect from ##www.example.com## to ##example.com## using either ##.htaccess## or the Apache virtual host configuration.
%%
RewriteEngine On
RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
RewriteRule ^ https://%1%{REQUEST_URI} [R=301,L]
%% 

Despite this server-side redirection, the PHP ##$_SERVER['SERVER_NAME']## variable may still reflect the ##www.## prefix if the server configuration or the request's initial host header is not properly normalized. This is because ##$_SERVER['SERVER_NAME']## is derived from the HTTP request headers and may not be updated by the rewrite rule if the server does not re-evaluate the host header after the redirect.

%%
$this->config['base_path']	= $this->get_base_url($this->canonical);
%%

So in the current configuration if you chose to use ##www.## prefix redirect disable ##$this->canonical## URLs.
Perhaps it is useful the add an option in the ##get_base_url()## function in the Settings class that removes the ##www.## prefix from the ##$base_url##. Is there another way to address this www. prefix alias mess?

  * ##base_url##
  * ##base_path##