Bug #69665

Rendering of TypoScript shortcutIcon does not consider HTTPS (in some cases)

Added by Sybille Peters about 4 years ago. Updated about 2 years ago.

Status:
Closed
Priority:
Should have
Category:
TypoScript
Target version:
Start date:
2015-09-11
Due date:
% Done:

100%

TYPO3 Version:
7
PHP Version:
Tags:
Complexity:
Is Regression:
No
Sprint Focus:

Description

IMHO it should be possible to enter the URL for shortcutIcon as arbitrary URL, specifically in any the following formats:

The current rendering is not flexible enough for HTTP/ HTTPS because the rendered and cached page will be dependant on the URL scheme first used. This may result in a URL with HTTP scheme used for favicon (if the page is first fetched via http), which will then be cached and used for HTTPS as well resulting in security warnings (mixed content).

TYPO3 source code (4.5 and 6.2 more or less the same):

if ($GLOBALS['TSFE']->pSetup['shortcutIcon']) {
      $favIcon = $GLOBALS['TSFE']->tmpl->getFileName($GLOBALS['TSFE']->pSetup['shortcutIcon']);
      if (is_file(PATH_site . $favIcon)) {
        if (function_exists('finfo_open')) {
          if ($finfo = @finfo_open(FILEINFO_MIME)) {
            $iconMimeType = ' type="' . finfo_file($finfo, (PATH_site . $favIcon)) . '"';
            finfo_close($finfo);
            $pageRenderer->setIconMimeType($iconMimeType);
          }
        }
        $pageRenderer->setFavIcon(GeneralUtility::getIndpEnv('TYPO3_SITE_URL') . $favIcon);
      }

As you can see, it is not possible to use relative or absolute paths because TYPO3_SITE_URL is prepended in any case. It is not possible to use absolute URLs because this will result in is_file failing.

This issue has actually already been reported, but for typo3.org, see https://forge.typo3.org/issues/58265

Any help is appreciated.


Related issues

Follows TYPO3 Core - Bug #15013: shortcut icon syntax incorrect/incomplete Closed 2005-10-08

Associated revisions

Revision 46d78561 (diff)
Added by Stephan Großberndt about 4 years ago

[BUGFIX] Add favicon without scheme

Remove the scheme when rendering the link to a favicon in order to
avoid mixed content because the cached header of a page is used for
both HTTP and HTTPS.

Resolves: #69665
Releases: master, 6.2
Change-Id: I39d51bcf31a98369645d144f670e4d6200c2402d
Reviewed-on: https://review.typo3.org/44213
Reviewed-by: Markus Sommer <>
Reviewed-by: Steffen Müller <>
Tested-by: Steffen Müller <>
Reviewed-by: Richard Haeser <>
Tested-by: Richard Haeser <>
Reviewed-by: Michael Oehlhof <>
Tested-by: Michael Oehlhof <>
Reviewed-by: Marcus Schwemer <>
Tested-by: Marcus Schwemer <>
Reviewed-by: Morton Jonuschat <>
Tested-by: Morton Jonuschat <>

Revision 71b64be0 (diff)
Added by Morton Jonuschat about 4 years ago

[BUGFIX] Add favicon without scheme

Remove the scheme when rendering the link to a favicon in order to
avoid mixed content because the cached header of a page is used for
both HTTP and HTTPS.

Resolves: #69665
Releases: master, 6.2
Change-Id: I39d51bcf31a98369645d144f670e4d6200c2402d
Reviewed-on: https://review.typo3.org/44921
Reviewed-by: Stephan Großberndt <>
Tested-by: Stephan Großberndt <>
Reviewed-by: Frank Nägler <>
Reviewed-by: Markus Klein <>
Tested-by: Markus Klein <>

History

#1 Updated by Chris no-lastname-given about 4 years ago

Hi @ all? Is there no workaround available for this really bad issue? Or any target version?

#2 Updated by Stephan Großberndt about 4 years ago

  • Status changed from New to In Progress
  • Assignee set to Stephan Großberndt
  • Target version set to 7 LTS
  • TYPO3 Version changed from 6.2 to 7

The cached header of a page is used as well for HTTP as HTTPS. If a page gets called and cached as HTTP first the next HTTPS page call generates a page which has a link to the favicon with http:// leading to mixed content and a insecure rating.

#3 Updated by Gerrit Code Review about 4 years ago

  • Status changed from In Progress to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/44213

#4 Updated by Stephan Großberndt about 4 years ago

@chris and Sibylle Peters: Could you please verify the patch fixes the problem for you?

#5 Updated by Gerrit Code Review about 4 years ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/44213

#6 Updated by Gerrit Code Review about 4 years ago

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/44213

#7 Updated by Gerrit Code Review about 4 years ago

Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/44213

#8 Updated by Stephan Großberndt about 4 years ago

According to an Internet Explorer Developer IE7+? does not respect the <base href="" on a favicon. Thus to display one there this has to be an absolute URL.

http://jeffcode.blogspot.de/2007/12/why-doesnt-favicon-for-my-site-appear.html

This leaves us with different choices, each with its trade-offs:

1. Use a protocol relative URL (//example.com/foo/favicon.ico)
  • Not supported on IE6
2. Use a relative URL (/foo/favicon.ico)
  • Not supported on IE7+?
3. Leave it as it is: (http://example.com/foo/favicon.ico)
  • IE7+? correctly displays favicon
  • Mixed content if page was rendered on HTTP and cached page header is used on HTTPS
4. Create different page header caches for HTTP and HTTPS
  • Overhead in the caching on the server

In my opinion mixed content is much worse than supporting totally outdated internet explorer versions.

#9 Updated by Stephan Großberndt about 4 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100

#10 Updated by Gerrit Code Review about 4 years ago

  • Status changed from Resolved to Under Review

Patch set 1 for branch TYPO3_6-2 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/44921

#11 Updated by Gerrit Code Review about 4 years ago

Patch set 2 for branch TYPO3_6-2 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/44921

#12 Updated by Morton Jonuschat about 4 years ago

  • Status changed from Under Review to Resolved

#13 Updated by Riccardo De Contardi about 2 years ago

  • Status changed from Resolved to Closed

#14 Updated by Sybille Peters about 2 years ago

  • Description updated (diff)

#15 Updated by Stephan Großberndt about 2 years ago

Hello Sybille,
was this change just to test the functionality of changing the issue description or is there something to do here?
The patches are merged and included in published versions of TYPO3 so this should work.

#16 Updated by Sybille Peters about 2 years ago

I corrected the formatting of some of my posts that looked bad. This was not a good idea if watchers are being notified. Did you get a notification email? If yes, I am sorry.

Also available in: Atom PDF