search

dani-garcia / vaultwarden

Unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs
GNU Affero General Public License v3.0
36.78k stars 1.79k forks source link

Grabbing wrong favicon #836

Closed PrivatePuffin closed 4 years ago

PrivatePuffin commented 4 years ago

Subject of the issue

It seems Bitwarden_rs always tries to download favicons from domain-root and ignores actual favicon settings on the login page. this leads to an abundance of errors/warnings and timeouts.

Your environment

Steps to reproduce

Add a login for this site: https://signin.netapp.com/oamext/login.html

Look at the logs, notice it tries to download the favicon from: http://signin.netapp.com/favicon.ico Notice how it fails to download the icon.

Now look at the page network tab, notice the actual URL for the favicon is: https://signin.netapp.com/oamext/images/favicon.ico

Now look at the page source, notice that the favicon is described here:

 <link href="./images/favicon.ico" rel="icon" type="image/x-icon">
      <link href="./images/favicon.ico" rel="shortcut icon" type="image/x-icon">

Expected behaviour

It should respect the favicon setting of the login pages.

Actual behaviour

It always tries to grab domain-root favicons and totally ignores actual favicon settings.

Relevant logs

[2020-01-30 18:16:55][bitwarden_rs::api::icons][INFO] Icon save error: Os { code: 13, kind: PermissionDenied, message: "Permission denied" }
[2020-01-30 18:16:55][response][INFO] GET /icons/<domain>/icon.png (icon) => 200 OK
[2020-01-30 18:16:55][bitwarden_rs::api::icons][INFO] Download failed for http://signin.netapp.com/favicon.ico
[2020-01-30 18:16:55][bitwarden_rs::api::icons][ERROR] Error downloading icon: Empty response
[2020-01-30 18:16:55][bitwarden_rs::api::icons][INFO] Icon save error: Os { code: 13, kind: PermissionDenied, message: "Permission denied" }
PrivatePuffin commented 4 years ago

This problem mostly shows with websites that host a login page on a sub page, but don't host anything on the login subdomain itself.

Another example: https://signin.ea.com/ doesn't host anything (and errors out on the favicon too) Because this is the real login page: https://signin.ea.com/p/web2/login*LOGIN DATA STRING*

dani-garcia commented 4 years ago

Well the clients only send the subdomain and domain, in this case the server gets https://signin.netapp.com, so if the image can't be obtained from there then there isn't much we can do other than hardcode the value.

PrivatePuffin commented 4 years ago

@dani-garcia Thats quite a major design oversight by upstream. As favicon locations are not actually standardised at all. But indeed, not yours to fix, you can't magically summon what you don't have.

Thanks for the reply :)