Bug #69665
closedRendering of TypoScript shortcutIcon does not consider HTTPS (in some cases)
100%
Description
IMHO it should be possible to enter the URL for shortcutIcon as arbitrary URL, specifically in any the following formats:
- absolute path, starting with /
- absolute URL e.g. https://www.example.org
- scheme relative : //www.example.org
The current rendering is not flexible enough for HTTP/ HTTPS because the rendered and cached page will be dependant on the URL scheme first used. This may result in a URL with HTTP scheme used for favicon (if the page is first fetched via http), which will then be cached and used for HTTPS as well resulting in security warnings (mixed content).
TYPO3 source code (4.5 and 6.2 more or less the same):¶
if ($GLOBALS['TSFE']->pSetup['shortcutIcon']) {
$favIcon = $GLOBALS['TSFE']->tmpl->getFileName($GLOBALS['TSFE']->pSetup['shortcutIcon']);
if (is_file(PATH_site . $favIcon)) {
if (function_exists('finfo_open')) {
if ($finfo = @finfo_open(FILEINFO_MIME)) {
$iconMimeType = ' type="' . finfo_file($finfo, (PATH_site . $favIcon)) . '"';
finfo_close($finfo);
$pageRenderer->setIconMimeType($iconMimeType);
}
}
$pageRenderer->setFavIcon(GeneralUtility::getIndpEnv('TYPO3_SITE_URL') . $favIcon);
}
As you can see, it is not possible to use relative or absolute paths because TYPO3_SITE_URL is prepended in any case. It is not possible to use absolute URLs because this will result in is_file failing.
This issue has actually already been reported, but for typo3.org, see https://forge.typo3.org/issues/58265
Any help is appreciated.