Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
yourls_get_favicon_url is abused by yourls_match_current_protocol #2430
yourls_get_favicon_url() seems to take for granted that PHP will always share the same protocol as the frontend server.
Problem: generated favicon protocol doesn't match admin console protocol when Yourls is behind a reverse proxy.
Steps to reproduce:
When these conditions are met, the favicon address to the long URL domain is generated using HTTP
Also a few warnings about mixed content can be observed in the console.
Would it make more sense to use a protol relative address instead:
Using the following code made the warnings go away and the favicons show up:
(I only removed the hardcoded "http:" from the URL)
That stands with google favicon where both http and https are available, but there are still some http-only servers out there, and there are YOURLS plugins that implement other protocols so it could be an issue to implement that "everywhere".