[TYPO3-dev] Scheme enforcement in 4.5.x

Ernesto Baschny [cron IT] ernst at cron-it.de
Tue Jun 28 09:07:01 CEST 2011


Ernesto Baschny [cron IT] schrieb am 28.06.2011 08:55:
> Lucas Thurston schrieb am 27.06.2011 23:36:
>> Hi all,
>> I have an issue that I'm hoping someone has finely crafted solution or
>> the seed of a solution for, or maybe just knows something about. It has
>> to do with the url_scheme field on the pages record which is new in
>> TYPO3 4.5. This field allows the selection of one of three values:
>> default, http. or https. The idea is that if http or https is selected
>> and a page is hit in the other scheme, the visitor gets redirected to
>> the specified scheme.
>>
>> I'll add that I'm using RealURL and, of course, setting the base tag
>> with the scheme and domain, and, with a Typoscript condition, varying
>> whether the scheme is http or https. Nothing out of the ordinary.
>>
>> Assuming you've selected either http or https for every page on the
>> site, this all works fine so far. If you haven't set every non-https
>> page on the site to http, however, you've got a problem when someone
>> clicks a link to a page designated as http from a page designated as
>> https. When you go to that page, the browser location bar is going to
>> read https. The base href is going to indicate an http scheme, and
>> you've got secure / insecure warnings (which, I might add, appear to
>> persist in Chrome version 12 until you restart the browser) all over the
>> place.
>>
>> What's missing, in my view, is a "default" that forces a redirect. This
>> way when going from one to the other, there's no chance of getting mixed
>> https / http unless you do something dumb.
>>
>> The code that handles this redirection is in tslib_fe::fetch_the_id()
>> method. I can see that it doesn't do anything if the "default" option is
>> selected (0). Only if http or https is set does anything happen. I don't
>> really think that selecting http on every page of a site except the
>> three that need to be secure is a viable option. It'd be better to
>> handle it like https_enforcer did, enforcing those pages that are set to
>> https and defaulting to http other wise.
>>
>> I could probably modify the code in TSFE, bugtracker / Gerrit this thing
>> within an hour, but I wanted to see if anyone knew of any changes around
>> this, or had any insight.
> 
> Yes, I stumbled over the same drawback and got back to http_enforcer. I
> agree that adding an "enforced default" would be great, and maybe its
> really just a design-bug. We'll check with Steffen Ritter, who
> implemented this feature, what he thinks about it.
> 
> I would agree to at least add a new setting (typoscript?) that specifies
> what "default" means:
> 
> - default (or not present) for backwards compatibility: leave protocol alone
> - "http": enforce http if nothing else is specified
> - "https": enforce https, if nothing else is specified
> 
> Being a new setting it has to be included in 4.6.
> 
> Nevertheless it has to be made sure the current way of handling it makes
> any sense at all in 4.5, else we could consider it a bug.

FYI: Steffen and I (and other interested parties) will "put our brains"
together next week during the T3DD to discuss the issue. He mentioned
that there are other troubles, related to the monstrous typolink function.

Cheers,
Ernesto





More information about the TYPO3-dev mailing list