[TYPO3-dev] Scheme enforcement in 4.5.x

[Ernesto Baschny [cron IT]]

Felix Nagel schrieb am 07.12.2011 15:13:

>> you don't need to enforce anything on link generation time. You enforce
>> a redirect on the landing page: Once you hit the landing page, it will
>> redirect you to the HTTP or HTTPS variant, whichever is configured. This
>> is how https_enforcer and the new feature in TYPO3 4.5 works. Only that
>> the new feature of 4.5 lacks a way of telling which is the "default"
>> scheme for pages where nothing has been declared (leaving the protocol
>> untouched).

> Right. I dont like to use https_enforcer as TYPO3 4.5 (should) have
> scheme support built in and the extension has a lot overhead.

I ended up using https_enforcer again after noticing the current
limitation of the missing "default".

>> Once we have a way to specify the default value (new feature, candidate
>> for backporting to 4.5 in my eyes), you can set that to "http" and
>> wherever you are in HTTPS mode, and click on a link, the first browser
>> will call that page with HTTPS and then switch (redirect) to HTTP
>> (because that's the default).

> There is no such feature in TYPO3 4.6 isnt it? Im a little confused
> because you wrote backporting.

Sorry for the confusion. I meant: As soon as we have this new feature
(in 4.7 / current master), it would be a candidate to backport to 4.5 -
and 4.6).

>> No need to try to parse typoscript settings from remote trees where you
>> are linking to. The destination page should know what to do. This also
>> handles the case when external links points to a page which is supposed
>> to be HTTPS (and user is going to it with HTTP): the magic redirects the
>> user to the correct protocol.

> So you would like to extend the redirect functionality within function
> fetch_the_id (class.tslib_fe.php) instead of my approach (typoLink
> function in class.tslib_content.php), right?
> 
> I assume this would be working, but I was not able to get a TS config in
> that function (via somehting like
> $GLOBALS['TSFE']->config['config']['urlScheme']) -- some Core Dev tips
> here? ;-)

I don't think this will be possible, because at that time, the
TypoScript rendering is not yet done. And for a good reason: If the
decision that the page should come from cache, we don't *want* to have
parsed all TypoScript before that (because that's the idea of the page
cache = to output the page as fast as possible and with as little
rendering overhead as possible).

So maybe it would be better to introduce the default protocol as a
TYPO3_CONF_VAR array, where you can have a mapping from domainname to
default scheme?

> I must confess I dont like the idea of generating "incorrect" links and
> redirect to the correct destination. Redirecting should not be the
> default, correct links should be default.
> Afaics there is another big disadvantage using a forced redirect (at
> least if redirecting because of a default config): users would not be
> possible to use a "always use https" plugin within their browsers.

Yes, there are downsides to the redirection, but this would be the least
intrusive addition that we might get backported to 4.5.

For 4.7 - new release - an additional new feature that generates the
correct links from start would be great, of course.

Cheers,
Ernesto