yourls_get_favicon_url is abused by yourls_match_current_protocol

[tobozo]

yourls_get_favicon_url() seems to take for granted that PHP will always share the same protocol as the frontend server.

Problem: generated favicon protocol doesn't match admin console protocol when Yourls is behind a reverse proxy.

Steps to reproduce:

1. Yourls is behind nginx reverse proxy: e.g. Apache/PHP (HTTP) <=> Nginx (HTTPS) <=> Client
2. Visit https://my.yours.installation/xxx+ to see the stats of the xxx short URL

When these conditions are met, the favicon address to the long URL domain is generated using HTTP http://www.google.com/s2/favicons/..... instead of HTTPS, in some situations the favicon won't show up on the stats page.

Also a few warnings about mixed content can be observed in the console.

Would it make more sense to use a protol relative address instead: //www.google.com/s2/favicons/..... ?

Using the following code made the warnings go away and the favicons show up:

function yourls_get_favicon_url( $url ) {
        return yourls_match_current_protocol( '//www.google.com/s2/favicons?domain=' . yourls_get_domain( $url, false ) );
}

(I only removed the hardcoded "http:" from the URL)

[ozh]

Anyway the whole 'yourls_match_current_protocol' stuff is deprecated now. We should probably just use scheme-less URL everywhere (eg //url.com and let the client decide if this is http or https)

[tobozo]

We should probably just use scheme-less URL everywhere (eg //url.com and let the client decide if this is http or https)

That stands with google favicon where both http and https are available, but there are still some http-only servers out there, and there are YOURLS plugins that implement other protocols so it could be an issue to implement that "everywhere".

[vineettalwar]

I had the similar issue, checkout #2383 . Solution for LeoColomb worked for me in that case.