Code looks OK, but I'd advise reviewing the site design from the top down, addressing both domain and protocol canonicalization, and modifying your on-page linking methods so that this 'mixed-security' problem becomes a non-issue.

If your http and https filespaces are separate, a 'tricky' method you can use to avoid problems of resources shared between http and https is to create 'fake' image and script directories in the https filespace, and symlink these to the 'real' ones in the http filespace.

Jim

Thanks again Jim, no the filespaces are the same. I'm not sure what you mean by linking though. In pages and in CSS I link to images like so:

src="/images/filename.jpg"

Same for .js and css. What it was doing was placing the non-secure version of, say, background images:

<link rel="/include_files/my.css">

<div style="some-style">

.some-style { background:url(/images/bg.jpg); }

So it should have gone from domain root in any case, secure or not, but doesn't until I added the include_files and images directory in the rules.

That's just weird... Any difference in the behaviour depending on the browser you use?

It seems very odd (well -- very wrong, actually) that the browser would improperly resolve a server-relative link in https to http://domain/link instead of retaining both the protocol and the domain. If this is the case with all browsers, then the only way to avoid the exclusion requirement would be to use canonical image and script links -- and that is, as I like to say, "non-optimal."

Jim

Is there a <base> tag on the page setting the protocol and domain?

No difference in browsers, and no there's no base being used.

It's notable to mention though - it does not do this if I don't enable the redirect from non-www to www.

My point being, how does a server-relative link on a page being served via SSL end up with the wrong protocol and/or the wrong domain? The browser should resolve it to the same protocol and domain as the page on which the link appears.

This is why I suggested a review of the site -- The most likely cause is that the SSL pages are being allowed to be requested from the 'wrong' domain, and therefore the links from those pages are getting redirected and breaking the http/https distinction.

Jim

Thanks again for your time Jim, I have read this 10 times on 3 successive days thinking a "light may come on tomorrow . . . " but I got nuttin'. :-) It's a Plain Jane domain, with a dynamic script for a shopping cart, the only special things going on are the .htaccess you see above, which is followed by a friendly-URL snippet which I'll paste below.

Other than that, all images, include files, etc. are requested by /, I don't use ../ or full links except for the precise links from the secure pages BACK to non-secure links, i.e.
http://www.example.com/contact.html

The rest of my .htaccess is as follows, you know what it's doing:

RewriteCond %{REQUEST_FILENAME}!-f
RewriteCond %{REQUEST_FILENAME}!-d
RewriteRule ^(.*)$ /cgi-bin/cart-script.cgi [L]

Cart-script doesn't do any special loops or rolls to the images or CSS links - these are contained in a page template, using the same syntax (/include_files/myfile.css)

Thanks again, frankly I don't know where else to look.

Hmmm... Well, the only thing I can suggest is to fire up the "Live HTTP Headers" add-on for FireFox and watch your SSL page request and subsequent on-page image requests, and see if that indicates more precisely when and how things are going wrong.

Jim

I will put one more thought out there on this, because I am clueless. :-)

Domain root is /site.com/some-directory (like html, whatever)

CGI executables are only allowed in /site.com/cgi-bin

The only place I've seen this is in the cgi scripts. Possibly this is the issue? The .htaccess above is only located in the domain root.