Support

Admin Tools

#32989 favicon

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by Ch3vr0n on Thursday, 07 May 2020 09:58 CDT

Ch3vr0n
Every now and then i run a GTMetrix.com performance test on sites i manage to ensure everything is still "up to snuff". Out of curiousity i explored the "Waterfall" tab (i usually only check PageSpeed and Yslow) and noticed an error 403 forbidden on favicon.ico. That stuck out to me. So i logged into admin tools (as that's the only factor i could think of that could be blocking it, right now i'm not saying it actually IS, merely saying it's the only possible "culprit" i can imagine).

I checked HTAccess maker and "ico" is listed under "Frontend file types allowed in selected directories" and nowhere else.

I took the gamble and just added "favicon.ico" to "Allow direct access to these files", and re-ran the GTMetrix scan. favicon now also got the 200 OK status instead of 403. So it looks like Admin tools was indeed the "culprit" for the 403.

So the question is, is it normal behavior for Admin Tools (pro) to "block" access to "favicon.ico" in the site root despite having "ico" listed under the option above. Or am i missing something?

To be clear i'm not pointing any figures or blaming, just wondering.

dlb
Admin Tools did it.

Beginning a few versions back, any file outside the /media or /images folders that needs to be directly accessed must have an exemption in .htaccess Maker. So it isn't just favicon.ico. If you have a folder that needs to be accessed, such as a Downloads folder, you can add access to the folder and all of the files will "inherit" the permission.


Dale L. Brackin
Support Specialist


us.gifEnglish: native


Please keep in mind my timezone and cultural differences when reading my replies. Thank you!


????
My time zone is EST (UTC -5) (click here to see my current time in Philadelphia, PA)

Ch3vr0n
I'll assume this was done out of safety reasons, though why not add a default exclusion to favicon.ico like AT does for some akeeba related files? Unless i'm missing something, (which is very possible) to my knowledge using favicon.ico for any type of exploit or security breach to "infect" the visitor isn't possible. (Though i may be very wrong here obviously, i'm no security expert)

dlb
I agree with you, I'm not aware of any danger that is posed by a favicon file. I imagine that they didn't put in a default exception is because not all sites use them, sometimes they are in the /template folder and sometimes the templates install them in the /images folder. One size doesn't fit all.

Joomla!'s best practices say that these types of directly accessible files should be in /media or /images so .htaccess Maker enforces that policy.


Dale L. Brackin
Support Specialist


us.gifEnglish: native


Please keep in mind my timezone and cultural differences when reading my replies. Thank you!


????
My time zone is EST (UTC -5) (click here to see my current time in Philadelphia, PA)

Ch3vr0n
Thanks for the response. Maybe someone from the akeeba team would like to chip in here. Perhaps it would be doable IF AT detects a favicon file on installation of it, it could add an exclusion. Or perhaps an exclusion added by default. If the file doesn't exist, it just won't load; and if it does exist, with a default exclusion it won't error out with 403.

I'm curious what for example nicholas would have to say here :)

Though naturally with the htaccess maker, it's a quick fix. Just spewing random ideas here now :)

dlb
I ran this idea by Nicholas. He was very emphatic that the automatic exclusion would interfere with transferring sites between servers.


Dale L. Brackin
Support Specialist


us.gifEnglish: native


Please keep in mind my timezone and cultural differences when reading my replies. Thank you!


????
My time zone is EST (UTC -5) (click here to see my current time in Philadelphia, PA)

Ch3vr0n
Empathic? From my knowledge of English, it means the ability to understand and share the feelings of another. I don't fully understand what that means relative to this issue. Is that good or bad? Wrong post perhaps? This ticket issue about moving sites between servers.

dlb
I apologize for the confusion. "Emphatic" means expressing something forcibly and clearly. You are thinking of empathetic.

What he said was:
No no no no no no no no!

This file is one that we should never ever automatically exclude

It would [interfere with] sites on transfer between servers.


Dale L. Brackin
Support Specialist


us.gifEnglish: native


Please keep in mind my timezone and cultural differences when reading my replies. Thank you!


????
My time zone is EST (UTC -5) (click here to see my current time in Philadelphia, PA)

Ch3vr0n
Ah ok, well no worries then. It's not like it's difficult to fix. But that does make me wonder about what kind of interference. Anything you can explain in layman's terms without exposing security safety info?

dlb
I'm sorry, that's all he told me.


Dale L. Brackin
Support Specialist


us.gifEnglish: native


Please keep in mind my timezone and cultural differences when reading my replies. Thank you!


????
My time zone is EST (UTC -5) (click here to see my current time in Philadelphia, PA)

Ch3vr0n
Ah well, was worth the ask. Case closed then

nicholas
Akeeba Staff
Manager
To be clear, you shouldn't put files in your site's root. It's bad practice. Joomla has specific locations where web accessible, static media files can be located in e.g. your template's folder or the media folder.

Your problem is that you put the file in the site's root which is the stone age approach. The correct approach for over 10 years no is to use link elements in your HTML output to explicitly reference the various sizes and formats of site icons so that different browsers on different platforms can find the correct one.

Please do bear in mind that the default rules in Admin Tools' .htaccess Maker do make it possible to have your site's icons – even in the legacy and discouraged .ico format – in the folders Joomla allows static media files including the folders I already mentioned above.

Adding automatic exceptions is a terrible idea when transferring sites among servers. Many servers come with a small set of preinstalled files, one of which is a favicon.ico. Sometimes permissions issues make it impossible to overwrite them on backup restoration. It is therefore possible that by adding an automatic exception we'll make your site serve that default icon instead.

Here is some more in depth information on the subject of site icons in general and how to reference them in your HTML output: https://www.emergeinteractive.com/insights/detail/The-Essentials-of-FavIcons/

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Ch3vr0n
Thanks for the detailed info Nicholas. Problem solved then! (wasn't really a problem anyway, merely an observation with a quick fix :))

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!