WordPress.org

Make WordPress Core

Opened 2 months ago

Closed 7 weeks ago

Last modified 6 weeks ago

#50131 closed defect (bug) (fixed)

Absent custom favicon triggers wp-admin .htaccess/.htpasswd prompt on frontend in FIrefox

Reported by: finomeno Owned by: SergeyBiryukov
Milestone: 5.4.2 Priority: normal
Severity: normal Version: 5.4
Component: Customize Keywords:
Focuses: Cc:

Description

When there is no favicon set for a website and an extra security layer is set up on the /wp-admin/ directory with .htaccess and .htpasswd, Firefox shows the login prompt on the site's frontend when the browser issues a GET request to load /wp-admin/images/w-logo-blue.png as a default/fallback favicon. Clicking on 'Cancel' dismisses the prompt, and the GET request receives a '401 Unauthorised' response. The WP logo favicon isn't loaded then. Curiously, this doesn't seem to affect Chrome and other Chromium based browsers.

I understand that this is a particular use case, but since setting up a favicon is optional and many sites don't do it, while setting up the extra protection on their /wp-admin/ (indeed, some hosting providers do that by default), this might significantly degrade user experience and even drive users away from websites.

Attachments (1)

50131.diff (1.2 KB) - added by whyisjake 7 weeks ago.

Download all attachments as: .zip

Change History (6)

#1 @SergeyBiryukov
2 months ago

  • Component changed from General to Customize

#2 @ocean90
2 months ago

  • Keywords needs-patch added; reporter-feedback removed
  • Milestone changed from Awaiting Review to 5.4.2
  • Severity changed from major to normal
  • Version changed from 5.4.1 to 5.4

I agree, this needs to be changed to load the image from wp-includes via includes_url() instead.

Related: #35322

@whyisjake
7 weeks ago

#3 @SergeyBiryukov
7 weeks ago

  • Owner set to SergeyBiryukov
  • Resolution set to fixed
  • Status changed from new to closed

In 47832:

Customize: Load the default site icon from the wp-includes directory.

Files inside the wp-admin directory may not be publicly available.

Follow-up to [36635], [47018].

Props whyisjake, finomeno, ocean90.
Fixes #50131.

#4 @SergeyBiryukov
7 weeks ago

In 47833:

Customize: Load the default site icon from the wp-includes directory.

Files inside the wp-admin directory may not be publicly available.

Follow-up to [36635], [47018].

Merges [47832] to the 5.4 branch.

Props whyisjake, finomeno, ocean90.
Fixes #50131.

#5 @SergeyBiryukov
6 weeks ago

  • Keywords needs-patch removed

Note: [47832] also reinstates [36635] for embeds, which was accidentally reverted on the next day in [36693].

Note: See TracTickets for help on using tickets.