[TYPO3-dev] Scheme enforcement in 4.5.x

Lucas Thurston lucas at castironcoding.com
Wed Jun 29 15:34:19 CEST 2011


On 6/28/11 12:07 AM, Ernesto Baschny [cron IT] wrote:
> Ernesto Baschny [cron IT] schrieb am 28.06.2011 08:55:
>> Lucas Thurston schrieb am 27.06.2011 23:36:
>>> Hi all,
>>> I have an issue that I'm hoping someone has finely crafted solution or
>>> the seed of a solution for, or maybe just knows something about. It has
>>> to do with the url_scheme field on the pages record which is new in
>>> TYPO3 4.5. This field allows the selection of one of three values:
>>> default, http. or https. The idea is that if http or https is selected
>>> and a page is hit in the other scheme, the visitor gets redirected to
>>> the specified scheme.
>>>
>>> I'll add that I'm using RealURL and, of course, setting the base tag
>>> with the scheme and domain, and, with a Typoscript condition, varying
>>> whether the scheme is http or https. Nothing out of the ordinary.
>>>
>>> Assuming you've selected either http or https for every page on the
>>> site, this all works fine so far. If you haven't set every non-https
>>> page on the site to http, however, you've got a problem when someone
>>> clicks a link to a page designated as http from a page designated as
>>> https. When you go to that page, the browser location bar is going to
>>> read https. The base href is going to indicate an http scheme, and
>>> you've got secure / insecure warnings (which, I might add, appear to
>>> persist in Chrome version 12 until you restart the browser) all over the
>>> place.
>>>
>>> What's missing, in my view, is a "default" that forces a redirect. This
>>> way when going from one to the other, there's no chance of getting mixed
>>> https / http unless you do something dumb.
>>>
>>> The code that handles this redirection is in tslib_fe::fetch_the_id()
>>> method. I can see that it doesn't do anything if the "default" option is
>>> selected (0). Only if http or https is set does anything happen. I don't
>>> really think that selecting http on every page of a site except the
>>> three that need to be secure is a viable option. It'd be better to
>>> handle it like https_enforcer did, enforcing those pages that are set to
>>> https and defaulting to http other wise.
>>>
>>> I could probably modify the code in TSFE, bugtracker / Gerrit this thing
>>> within an hour, but I wanted to see if anyone knew of any changes around
>>> this, or had any insight.
>>
>> Yes, I stumbled over the same drawback and got back to http_enforcer. I
>> agree that adding an "enforced default" would be great, and maybe its
>> really just a design-bug. We'll check with Steffen Ritter, who
>> implemented this feature, what he thinks about it.
>>
>> I would agree to at least add a new setting (typoscript?) that specifies
>> what "default" means:
>>
>> - default (or not present) for backwards compatibility: leave protocol alone
>> - "http": enforce http if nothing else is specified
>> - "https": enforce https, if nothing else is specified
>>
>> Being a new setting it has to be included in 4.6.
>>
>> Nevertheless it has to be made sure the current way of handling it makes
>> any sense at all in 4.5, else we could consider it a bug.
>
> FYI: Steffen and I (and other interested parties) will "put our brains"
> together next week during the T3DD to discuss the issue. He mentioned
> that there are other troubles, related to the monstrous typolink function.
>
> Cheers,
> Ernesto
>

Cool, let me know what you come up with. Meanwhile, I'll probably put 
together a quick pibase plugin at page.5, like https enforcer, that 
checks the url_scheme and does the same redirect that currently exists 
in tslibfe.

If I can do anything to help out, let me know.

thanks,
Lucas




More information about the TYPO3-dev mailing list