Bug #69665

Updated by Sybille Peters almost 3 years ago

IMHO it should be possible to enter the URL for shortcutIcon as arbitrary URL, specifically in any the following formats: as: 

 * - absolute path, starting with / 
 * - absolute URL e.g. https://www.example.org https://www... 
 * - scheme relative : //www.example.org //... 

 The current rendering is not flexible enough for HTTP/ HTTPS because the rendered and cached page will be dependant on the URL scheme first used. This may result in a URL with HTTP scheme used for favicon (if the page is first fetched via http), which will then be cached and used for HTTPS as well resulting in security warnings (mixed content). warnings. 

 h1. TYPO3 source code (4.5 and 6.2 more or less the same): 


 <pre><code class="php"> 
 ----------------------------------------------------- 

 if ($GLOBALS['TSFE']->pSetup['shortcutIcon']) { 
       $favIcon = $GLOBALS['TSFE']->tmpl->getFileName($GLOBALS['TSFE']->pSetup['shortcutIcon']); 
       if (is_file(PATH_site . $favIcon)) { 
         if (function_exists('finfo_open')) { 
           if ($finfo = @finfo_open(FILEINFO_MIME)) { 
             $iconMimeType = ' type="' . finfo_file($finfo, (PATH_site . $favIcon)) . '"'; 
             finfo_close($finfo); 
             $pageRenderer->setIconMimeType($iconMimeType); 
           } 
         } 
         $pageRenderer->setFavIcon(GeneralUtility::getIndpEnv('TYPO3_SITE_URL') . $favIcon); 
       } 
 </code></pre> 


 -------------------- 

 As you can see, it is not possible to use relative or absolute paths because TYPO3_SITE_URL is prepended in any case. It is not possible to use absolute URLs because this will result in is_file failing.  


  

 Resulting page: (if page is first fetched via http) 
 --------------- 

 <link rel="shortcut icon" href="http://www.anyarbitrarysite.de/fileadmin/site-templates/header/favicon-2015.ico" type="image/x-icon; charset=binary" /> 
 <link rel="icon" href="http://www.anyarbitrarysite.de/fileadmin/site-templates/header/favicon-2015.ico" type="image/x-icon; charset=binary" /> 

 This issue has actually already been reported, but for typo3.org, see https://forge.typo3.org/issues/58265 

 Any help is appreciated. 

Back