Web site, interactive API and non-interactive API now work together

Until now, RealFaviconGenerator consisted in two universes:

  • The interactive API, aka “User interacts with the UI to create a favicon”
  • The non-interactive API. Post a favicon generation request to the web service and get your package a second later

Although similar, these two domains used to never speak to each other.

This time is over. Now, when you use either the interactive API of simply RealFaviconGenerator as a web site, the non-interactive request is never far.

RealFaviconGenerator, the web site

The regular way to use RealFaviconGenerator is accessing it via the web browser. A few clicks later, you are ready to download the favicon package. Until today, that was the end of the story. But you can now get the equivalent non-interactive API request:

Generated non-interactive API request

Follow the instructions and you get a working API request.

Interactive API

The interactive API is not different of the classic web site: you get the same favicon editor and same options. When the client is back in control (for example the Favicon by RealFaviconGenerator WordPress plugin), the transaction is over.

But there is more: the API client receives the equivalent non-interactive API request. It can reissue the request as is to create the favicon again.

What’s next?

Expect some updates in the WordPress plugin in the next few weeks! Grunt and Gulp plugins are also on the TODO list.

XSS vulnerability fixed in the WordPress plugin

Five days ago, Kacper Szurek sent me an email to warn me about a security issue in the WordPress plugin. It was fixed a few minutes ago. Please update to v1.2.13.

How dangerous this breach was? It would allow an attacker to trick the authenticated administrator of a WordPress site to download and install a faked favicon package. Because the package contains HTML code to be added to the header of each page, this attack could basically lead to code injection. Such attack would be quite sophisticated: the attacker needs to target a blog, contact its administrator and trick him to make him click on a forged URL.

Thank you very much Kacper for having reported this one!

New favicon? No problem!

Favicon caching is a classic issue when updating your existing icon. Here is the story: your web site had the same favicon for months or even years. And now you update it. Great! Except that all your regular visitors still see the previous version. Oh.

The well-known workaround is to version the favicon files by appending query parameters. For example, /favicon.ico?v=2. Now, RealFaviconGenerator lets you do just this.

Versioning screenshot

RealFaviconGenerator adds versioning to all files, including the ones referenced by the various manifests. You can use whatever value that fits your web project, but the hash of a timestamp is offered by default, thanks to HashIds.

This feature is also available via the non-interactive API.

SSL Support

Alright. Favicon is not the most sensible topic around. Plus this icon is expected to be published and viewed by as much visitors as possible.

Or not. Maybe you’re doing some experiments with RealFaviconGenerator. Maybe you work on a secret project and you don’t want anyone to know before the D day. In any case, you need privacy. Now RealFaviconGenerator supports SSL.

SSL Support

The story of this new feature is a bit particular. It all started with a support request for the WordPress plugin. Apparently some plugins, such as the CloudFlare Flexible SSL plugin, rewrite the URLs to always keep the WordPress admin in the safe SSL world, even when he leaves his dashboard. And since RealFaviconGenerator didn’t support SSL until now, it was either CloudFlare or RFG.

Adding SSL support way the best way to fix this. Plus everybody expect SSL nowadays, including me. So here it is.

But something else happened. A few days ago, the press revealed that the NSA has stolen thousands of SIM keys in order to spy mobile phone conversations. To do this, the NSA hacked Gemalto, a company where I used to work (strictly speaking I was part of Trusted Logic, acquired by Gemalto a few years ago). I was working on SIM cards and even if I didn’t see a single real life SIM key, this event has a special meaning to me.

So now SSL is on and the timing is perfect. Your favicons are safe. This won’t make you sleep better, but at least this small issue is fixed.

Get your favicon in HTML, XHTML or Jade

Until now, RealFaviconGenerator created HTML5. Meet our two new friends: XHTML and Jade.

Faviconin HTML, XHTML or Jade

XHTML is a bit old-fashion nowadays, but many people still need it. The primary difference between HTML and XHTML is the slef-closing markup syntax. XHTML demands a final slash (<markup/>) whereas HTML doesn’t (<markup>). XHTML supportis not strict, though. The sizes attribute is not supported by XHTML but RFG still produces it. The main advantage of this code is the trailing slash which absence annoys developers who use editors with error detection on.

Jade is the other new format. Its elegant syntax makes HTML code shorter. This template language is often used with Node.js.

Favicon – Why you’re doing it wrong

You know what the favicon is. This is this small icon in each browser’s tab.

The most famous favicon
The most famous favicon

Web developers are familiar with the classic favicon declaration:

<link rel="shortcut icon" href="/favicon.ico">

Each web site comes with its favicon. A must have. But wait, what is needed exactly?

The many faces of the favicon in 2015

With the iPhone and so many new devices created during the last 10 years, the favicon is no longer a single 16×16 picture. It has many usages, many sizes and many designs.

The most well-known derivative is the Apple Touch Icon for iOS. This icon is used when your visitor adds your site to his home screen. No Touch icon? iOS generates a miniature of the bookmarked web page and uses it as the icon. Not great.

With and without Touch icon
With and without Touch icon

Android and Windows 8 follow the same trend, each one with its own approach.

With so many buzz around mobile web and responsive design, it just becomes mandatory for the favicon to address these new platforms. Basically, if you still stick to the classic favicon.ico, you’re 10 years behind schedule.

Why is that?

It’s a mess

Creating a single 16×16 icon is easy. But what if we want to support iOS, Android, Windows 8 Metro and desktop browsers? We need 4 picture at a minimum. If we want to do the job completely and address everything (first generation iPhone, latest Retina iPad, Android Lollipop, IE 9, MacOS Safari…), we can create up to 26 pictures. Sounds like we gonna have a great day.

There are not only a lot of pictures. Declaring them is also tricky. With Windows 8.1 and IE 11, Microsoft introduced the new browserconfig.xml. The main purpose of this file is to create “live tiles” and make your Metro tiles dynamic. This is also where you declare your 4 pictures dedicated to IE 11. For example, the 310×310 tile picture, which is actually recommended to be 558×558, for high density screens (but still declared as the square310x310logo picture in browserconfig.xml. Is that clear enough?). Android Chrome M39 also comes with its own manifest. No XML but JSON here.

So we not only have to create a lot of pictures, we also need to learn a lot of stuff. Just to create a compelling favicon. Hum…

Design matters

So, creating 20-something icons is surely not funny, but this is something we can deal with. This task can be automated. Give a script our picture and the sizes we want, it will create them all in no time.

But wait! Creating a multi-platform favicon is not only a matter of size. Each platform has its own design requirements. For example, transparent icons fit the Android home screen well. But iOS prevents them. It simply fills the transparent regions with black, which is generally not what we want.

The Touch Icon of StackOverflow has its transparent background set to black by iOS. Was it intended?
The Touch Icon of StackOverflow has its transparent background set to black by iOS. Was it intended?

We not only have to generate a lot of icons. We have to craft them, platform per platform. Damn.

Google doesn’t help

Nowadays the first step to fix anything is to launch Google. Let’s do this and find the information we need. For example, what are the sizes of the Apple Touch icon? Let’s google “touch icon size”.

The first two results for "touch icon size"
The first two results for “touch icon size”

The first result is from StackOverflow. Exactly what we would expect. Unfortunately, the first answer is two iOS versions behind: it talks about the 144×144 touch icon for Retina iPad running iOS 6. iOS 7 introduced the 152×152 picture, and iOS8 adds the 180×180 picture. You have to scroll to the 4th answer to get it right.

All is not lost, the second result are the Apple specs themselves. End of the story? Not really. The specs were not updated for iOS 8. Nothing beyond 152×152 is documented there.

Okay but what we really need here is a favicon generator right? We don’t care about all these information after all. Google again, “favicon generator” this time.

Google answer for "favicon generator". No self-promotion intended of course :)
Google answer for “favicon generator”. No self-promotion intended of course

Out of the 7 first results, 6 of them only generate the favicon.ico you needed in the pre-iPhone era. Only one covers the whole spectrum. It appears that this is RealFaviconGenerator, the very site you’re visiting and reading right now. I was as surprised are you are.

So Google surely brings the correct answers but we still have to figure them out. “I feel lucky” doesn’t work with favicons.

Conclusion

If you want to master the art of favicon, the Favicon Cheat Sheet is a great place to start. It lists a lot of information in one single place, which is very valuable by itself. Mathias Bynens also does an excellent job at updating his famous article about Touch icons. The RealFaviconGenerator’s FAQ also deals with a lot of tips and tricks and references.

What if you don’t really wanna know everything about favicon, but simply get the job done quickly? Well, you have the next-gen favicon generator option. Which is, by the merest chance, this site. Yes, among 1 billion web sites, this article was just published by the site it was referring to as the best site ever. You didn’t see that coming and nor did I.

Is this an ad?

Yep. RealFaviconGenerator now displays an ad at the top of each page. I don’t feel the need to justify this decision but I’d like to comment it.

Donations

First, let’s talk about money. Since June 2014, RFG has a Paypal Donate button for users who want to support the service. I’ve already thanked them personally but let me seize the opportunity of this post to say:

Thanks you guys!!!!!

Seriously. This is amazing. I picture a user who just spent a minute or two on RFG and, while downloading his package, actually goes through the Paypal process to give money for something free anyway. Free and small: let’s face it, RFG saves only an hour of your life, not your life itself.

How many? Well, I didn’t make serious stats. RFG received nearly 100 donations in 8 months, with a slow down recently. I think regular users willing to give have already did it. How much? I think the record was set to $25. Wow. Most donations are something like $5. In the end, donations barely cover the hosting costs.

I received a mail last week suggesting to accept bitcoins, which I did. Now I’m waiting for the millions.

To conclude with donations, I must admit this is not my preferred way to earn money from a web site. One user out of a few thousands gives a significant amount of money while all the others get the service for free. To this respect, I like the spirit of Flattr, a micro donation service. As a consumer, you allocate a monthly donation budget: $2, $4… your choice. Each time you want to support a web site, a blogger, a Youtuber or whoever, you Flattr-like him. At the end of the month, your budget is divided among the people you liked. I would find way fairer to get a few cents from 1% of my users instead of 5$ from 0.01% users. Unfortunately, Flattr didn’t receive the audience it deserves (yet?).

Ads

Ads are more in line with the previous paragraph. Of course, this is not “giving” anymore. But each user pays with the little bit of attention the ad requires. A really small prize paid by everyone (you don’t use AdBlocker, do you?).

I discovered CarbonAds in the Bootstrap web site. Their ads were light, non-intrusive and technical-oriented. So I put this in my “maybe later” list. A few days ago, I contacted CarbonAds to give it a try. Some code to copy/paste, some style to add and here it is. Now I’m looking at the stats.

Maybe I’ll test AdSense, too.

The future

Well, I don’t know. At least there are two things I’m sure of.

First, I would like to make money from RFG. I think the service is useful. It fills a gap in web development. A small gap. So it won’t make me rich, but I want my small bucks.

Whatever happens, RealFaviconGenerator as it is today will remain free. In other words, whatever you do for free with RFG today will still be free tomorrow. No premium options, no API calls limit or stuff like this. This is a question of ethic. If I had planned to “close” the platform at some point, I would have had to mention it. This reminds me of MakerBot and their switch from open-source hardware to closed-source. Part of the community felt betrayed. Going from closed to open is obviously okay, and keeping closed is okay, too. But giving then taking back is not. And definitely not something I will do.

Ok, so, do you like the new ads? 🙂

Welcome, Android Chrome!

From the beginning, RealFaviconGenerator supports Android Chrome. Well, that was minimum service. Sure, the required icon was generated, but that was all. In particular, there was no “RealFaviconGenerator’s touch”, which is the ability to design an icon for that particular platform. Your master picture was used as is by Android.

Until now. RFG now provides full support for Android Chrome.

Android Chrome editor - Home screen

The icon editor is familiar: a set of sensible settings are offered so you can get the best of your icon and make is fit any Android device home screen:

  • Use the icon as it is. Easy one.
  • Apply margins and an opaque background. Classic. This one is especially useful when you have a picture with square corners. Because Android crops them, adding margins is a great workaround to keep the precious corners.
  • Drop shadow. Why a drop shadow? To copy Google. Look at the official Google apps: Gmail, Youtube or Chrome itself. They all have a thin drop shadow. You can make your icon stand out with the same effect.

In addition, RFG supports the new manifest introduced in Android Chrome M39. With this manifest come 6 icons. Apparently Google is willing to compete with Apple and its numerous Touch icons. As an option, you can also define the other fields of the manifest: web site aspect when it is launched from the home screen link, screen orientation, etc.

Android Chrome editor - Options

Older versions of Chrome are supported: the 192×192 PNG icon is still generated and declared in the vanilla HTML.

Also new with Android 5.0 Lollipop is the theme color. When listing the running apps, Android lets you define the color that fits your site best.

Android Chrome editor - Task switcher

In the end, Google did a great move with the new manifest. It finally allows us to define a platform-specific picture for Android Chrome, which is good news. Android is different of desktop and iOS. Wanting a particular design for the home screen icon make perfect sense. That point has haunted me for some time and I’m glad I’m on my way for resilience 🙂

The Android Chrome icon editor is the blue print for the next improvements in the UI. In particular, icon design settings can be used along with a dedicated picture. This is a long due TODO for iOS and Windows.

I hope you will like this new addition. Let me know what could be improved!

iOS startup image now available via the API

iOS lets you define a startup image. When your visitors add your web site to their home screen, this image is displayed for a short time when the home screen link is clicked.

Now you can create this image with the help of the non-interactive API. Well, “this image” actually means “these 7 images”. And the HTML code is not trivial. Definitely not something you want to deal with a few hours before the release of your next web project.

Special thanks to Taylor Fausak for his great iOS startup image reference! The official Apple docs are clearly outdated.

Oh, and if you think the photo used to illustrate this post is below standards: just try to take a screenshot of an actual startup image. The image appears for a second, at most. It is awfully hard! 😉