Project

General

Profile

Actions

Patch #31022

closed

Always use HTTPS when accessing gravatar.com

Added by Go MAEDA almost 6 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
UI
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:

Description

Today it is recommended to use HTTPS when accessing websites, but Redmine accesses gravatar.com with HTTP if the Redmine instance is accessed with HTTP. This is because Redmine generates protocol-relative URLs for Gravatar images (#21855#note-2).

I think we don't have to switch the protocol to access gravatar.com depending on the protocol of the Redmine instance. It will be secure, and moreover, it may improve performance when there are a lot of icons on a single page because of HTTP/2 used in gravatar.com. With HTTP/2, clients can download images in parallel with a single TCP connection.

Index: lib/plugins/gravatar/lib/gravatar.rb
===================================================================
--- lib/plugins/gravatar/lib/gravatar.rb    (リビジョン 17938)
+++ lib/plugins/gravatar/lib/gravatar.rb    (作業コピー)
@@ -61,7 +61,7 @@

     # Returns the base Gravatar URL for the given email hash
     def gravatar_api_url(hash)
-      "//www.gravatar.com/avatar/#{hash}" 
+      "https://www.gravatar.com/avatar/#{hash}" 
     end

     # Return the gravatar URL for the given email address.

Related issues

Related to Redmine - Feature #9112: Libravatar and Gravatar-compatible servers supportClosedGo MAEDA2011-08-24

Actions
Actions #1

Updated by Go MAEDA almost 6 years ago

  • Target version set to 4.1.0
Actions #2

Updated by Go MAEDA almost 6 years ago

This updated patch is frozen string literals ready.

Index: lib/plugins/gravatar/lib/gravatar.rb
===================================================================
--- lib/plugins/gravatar/lib/gravatar.rb    (revision 17946)
+++ lib/plugins/gravatar/lib/gravatar.rb    (working copy)
@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'digest/md5'
 require 'cgi'

@@ -61,7 +63,7 @@

     # Returns the base Gravatar URL for the given email hash
     def gravatar_api_url(hash)
-      "//www.gravatar.com/avatar/#{hash}" 
+      'https://www.gravatar.com/avatar/' + hash.to_s
     end

     # Return the gravatar URL for the given email address.
Actions #3

Updated by Go MAEDA almost 6 years ago

  • Status changed from New to Closed
  • Assignee set to Go MAEDA

Committed.

Actions #4

Updated by Go MAEDA over 5 years ago

  • Related to Feature #9112: Libravatar and Gravatar-compatible servers support added
Actions #5

Updated by Marius BĂLTEANU over 5 years ago

  • Status changed from Closed to Reopened

We should remove the :ssl option because it is not used anymore:

vagrant@jessie:/vagrant/project/redmine$ git diff lib/plugins/gravatar/
diff --git a/lib/plugins/gravatar/lib/gravatar.rb b/lib/plugins/gravatar/lib/gravatar.rb
index aa8500b..f368b99 100644
--- a/lib/plugins/gravatar/lib/gravatar.rb
+++ b/lib/plugins/gravatar/lib/gravatar.rb
@@ -34,9 +34,6 @@ module GravatarHelper

     # The class to assign to the img tag for the gravatar.
     :class => 'gravatar',
-
-    # Whether or not to display the gravatars using HTTPS instead of HTTP
-    :ssl => false,
   }
Actions #6

Updated by Go MAEDA over 5 years ago

  • Status changed from Reopened to Closed

Marius BALTEANU wrote:

We should remove the :ssl option because it is not used anymore:

[...]

Committed the fix. Thank you for pointing it out.

Actions

Also available in: Atom PDF