[TYPO3-dev] Scheme enforcement in 4.5.x

Wed Dec 7 11:43:17 CET 2011

Hi Felix,

you don't need to enforce anything on link generation time. You enforce
a redirect on the landing page: Once you hit the landing page, it will
redirect you to the HTTP or HTTPS variant, whichever is configured. This
is how https_enforcer and the new feature in TYPO3 4.5 works. Only that
the new feature of 4.5 lacks a way of telling which is the "default"
scheme for pages where nothing has been declared (leaving the protocol
untouched).

Once we have a way to specify the default value (new feature, candidate
for backporting to 4.5 in my eyes), you can set that to "http" and
wherever you are in HTTPS mode, and click on a link, the first browser
will call that page with HTTPS and then switch (redirect) to HTTP
(because that's the default).

No need to try to parse typoscript settings from remote trees where you
are linking to. The destination page should know what to do. This also
handles the case when external links points to a page which is supposed
to be HTTPS (and user is going to it with HTTP): the magic redirects the
user to the correct protocol.

Cheers,
Ernesto

Felix Nagel schrieb am 07.12.2011 11:08:
> Am 07.12.2011 01:07, schrieb Michael Stucki:
>> I've had a look at your approach. I think what you want to do is this:
>> - Force URLs to be protocol-neutral
> What do you mean by protocol-neutral? Relative links?
> 
>> However, IMHO this makes little sense practically. You seem willing to
>> define how all URLs (not only some) are requested (HTTP vs. HTTPS),
>> therefore I don't understand why URLs should still be protocol-neutral
>> by default.
> Im not sure you did understand the problem correctly.
> 
> Currently its not possible to have SOME pages with https. Why? Ones a
> user is using https (forced by url_scheme on a specific page) there is
> no way to go back to http without changing the URL manually. Why?
> Because we need to change the baseUrl of the typoLink calling page to
> ensure a valid https connection for all resources (not only html but js,
> css, pictures, ...).
> 
> So IMHO the current implementation of url_scheme is totally useless, as
> practically you could use https for ALL pages or for NONE (which would
> be done by baseUrl, no need of url_scheme field).
> If I am wrong I would love to hear how to use url_scheme in a proper way.
> 
>> So what I suggest is similar to Jigals suggestion:
>> If a default scheme is defined (using the new Typoscript setting) then
>> we automatically enforce all links to be absolute (similar to
>> forceAbsoluteUrl=1 in Typolink).
> Enforcing absoulte urls is what I do in my fix. But not for all links by
> default, only if needed.
> 
> By the way, the discussion earlier in the thread was about a TS setting
> which could be used to force the scheme anywhere in the pagetree. My
> basic approach is the same but it would need an additional rendering of
> the actual TS of each linked page. Would be a great feature!
> 