[TYPO3-dev] Scheme enforcement in 4.5.x

Jigal van Hemert jigal at xs4all.nl
Tue Jun 28 10:27:30 CEST 2011 

Hi,

On 28-6-2011 8:55, Ernesto Baschny [cron IT] wrote:
> Lucas Thurston schrieb am 27.06.2011 23:36:
>> I have an issue that I'm hoping someone has finely crafted solution or
>> the seed of a solution for, or maybe just knows something about. It has
>> to do with the url_scheme field on the pages record which is new in
>> TYPO3 4.5. This field allows the selection of one of three values:
>> default, http. or https. The idea is that if http or https is selected
>> and a page is hit in the other scheme, the visitor gets redirected to
>> the specified scheme.

If my memory is correct from the time this was implemented the 
functionality is slightly different: it influences the way a link is 
build to the page with this setting:
- default: make a relative link, thus preserving the current scheme
- http: make an absolute link using the http:// scheme
- https: make an absolute link using the https:// scheme

>> Assuming you've selected either http or https for every page on the
>> site, this all works fine so far. If you haven't set every non-https
>> page on the site to http, however, you've got a problem when someone
>> clicks a link to a page designated as http from a page designated as
>> https. When you go to that page, the browser location bar is going to
>> read https.

Correct, that is the behaviour of 'default': it keeps the scheme that is 
currently used, whether it's http or https, by using relative links.

>> The base href is going to indicate an http scheme, and
>> you've got secure / insecure warnings (which, I might add, appear to
>> persist in Chrome version 12 until you restart the browser) all over the
>> place.

So, in fact the problem is that you set a base href with http protocol 
despite the fact that the page can be accessed with both http and https?

> Yes, I stumbled over the same drawback and got back to http_enforcer. I
> agree that adding an "enforced default" would be great, and maybe its
> really just a design-bug. We'll check with Steffen Ritter, who
> implemented this feature, what he thinks about it.
>
> I would agree to at least add a new setting (typoscript?) that specifies
> what "default" means:
>
> - default (or not present) for backwards compatibility: leave protocol alone
> - "http": enforce http if nothing else is specified
> - "https": enforce https, if nothing else is specified

What is missing is a Typoscript setting for the protocol. If you need to 
set an entire (sub)tree to https (or http) you need to set the setting 
in each and every page.
A simple Typoscript setting config.forceProtocol (also available through 
page.config.forceProtocol) would be enough to set it for a (sub)tree.

Maybe we need four values in the page properties for maximum flexibility:
- <none> : use Typoscript setting (as usual with settings)
- http : overwrite Typoscript for this page with 'http'
- https : overwrite Typoscript for this page with 'https'
- ignore / keep / any : ignore Typoscript setting and use the protocol 
in the current request

-- 
Kind regards / met vriendelijke groet,

Jigal van Hemert.

More information about the TYPO3-dev mailing list