Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Discourage use of @web in base URL #3559

Closed
putyourlightson opened this issue Dec 14, 2018 · 5 comments

Comments

Projects
None yet
3 participants
@putyourlightson
Copy link
Contributor

commented Dec 14, 2018

From the docs (https://docs.craftcms.com/v3/sites.html#site-url):

Don’t ever use the @web alias when defining your sites’ Base URLs. It could introduce a cache poisoning vulnerability, and Craft won’t be able to reliably determine which site is being requested.

I completely agree with the warning about using @web in a site's base URL and therefore suggest changing the "Base URL" description text when editing a site in the control panel to something more appropriate.

screenshot 2018-12-14 at 18 07 55

@putyourlightson putyourlightson changed the title Discourage use of @web in Base URL Discourage use of @web in base URL Dec 14, 2018

@brandonkelly

This comment has been minimized.

Copy link
Member

commented Dec 14, 2018

Yeah agree. We’re going to to move away from it (and aliases in general) in 3.1 in favor of environment variables thanks to the new support for them in CP settings (https://github.com/craftcms/cms/blob/3.1/docs/config/environments.md#control-panel-settings).

@putyourlightson

This comment has been minimized.

Copy link
Contributor Author

commented Dec 15, 2018

Perfect, thanks!

@brandonkelly brandonkelly reopened this Dec 15, 2018

brandonkelly added a commit that referenced this issue Dec 29, 2018

@brandonkelly

This comment has been minimized.

Copy link
Member

commented Dec 29, 2018

As of the next Craft 3.1 beta release, the web and CLI installers will no longer suggest @web for the site URL, and whatever URL is entered will be saved as a DEFAULT_SITE_URL environment variable in .env, and the actual site URL that gets stored will be replaced with $DEFAULT_SITE_URL (see 96867ed).

brandonkelly added a commit that referenced this issue Jan 11, 2019

@jorenvanhee

This comment has been minimized.

Copy link

commented Feb 19, 2019

The CLI installer still uses @web as default site URL. Site URL: [@web/]

@brandonkelly

This comment has been minimized.

Copy link
Member

commented Feb 19, 2019

That will only happen if you are installing with a config/project.yaml file already in place that defines a primary site with the baseUrl set to @web, or if you have a DEFAULT_SITE_URL environment variable defined, which is set to @web. In either case, Craft will just go with the flow. Otherwise no it will not recommend @web out of the blue anymore.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.