[wp-trac] [WordPress Trac] #14682: Privacy leakage: gravatars leak identity information
WordPress Trac
noreply at wordpress.org
Sun Sep 22 03:50:32 UTC 2019
#14682: Privacy leakage: gravatars leak identity information
-----------------------------+------------------------------
Reporter: jmdh | Owner: (none)
Type: defect (bug) | Status: reopened
Priority: normal | Milestone: Awaiting Review
Component: Privacy | Version: 3.0
Severity: normal | Resolution:
Keywords: privacy-roadmap | Focuses:
-----------------------------+------------------------------
Comment (by chrisherbert):
If you're proxying Gravatars through the site itself, do you need to do
any hashing at all? Couldn't you just do something like example.com/wp-
admin/gravatar-proxy.php?comment_id=1234, which would fetch the Gravatar
server side and pass it on the user?
That way you wouldn't be exposing anything more than the comment ID, which
doesn't seem sensitive at all. I guess you'd be serving some redundant
images, since each comment would have a unique image URL even if they're
from the same user. That doesn't seem like a big deal though.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/14682#comment:57>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list