[wp-trac] [WordPress Trac] #54363: Always load gravatars over HTTPS

WordPress Trac noreply at wordpress.org
Tue Nov 2 11:45:41 UTC 2021 

#54363: Always load gravatars over HTTPS
-------------------------+--------------------------------------
 Reporter:  dimadin      |      Owner:  (none)
     Type:  enhancement  |     Status:  new
 Priority:  normal       |  Milestone:  Awaiting Review
Component:  General      |    Version:
 Severity:  normal       |   Keywords:  has-patch has-unit-tests
  Focuses:               |
-------------------------+--------------------------------------
 By default, when page is loaded over HTTP, gravatars are also loaded over
 HTTP. This can and should be changed.

 There are two things here:

 - First thing is that default URL base in `get_avatar_data()` needs to be
 changed. Now, if page is loaded over HTTP, it uses domain sharding
 technique to load gravatar from one of three hostnames,
 `(0|1|2).gravatar.com`. With HTTP/2, domain sharding
 [https://love2dev.com/blog/domain-sharding-http-2/ is obsolete]. When page
 is loaded over HTTPS, gravatar is (correctly) always loaded from one
 hostname,  `secure.gravatar.com`. I have changed this behavior so that
 only hostname used is `www.gravatar.com`. All of these five hostnames are
 behind CDN so speed wise it doesn't matter what hostname is used, but
 someone from @automattic can give review.
 - Second thing is that default URL scheme used in `get_avatar_data()`
 needs to be changed. Now, default scheme is `null`. Since that value is
 passed to `set_url_scheme()` it means that scheme of URL is changed to
 scheme of loaded page.  To be able to always have HTTPS scheme by default,
 default scheme value need to be changed from `null` to `https`. For this,
 I have updated `get_avatar_data()`, `get_avatar_url()` and `get_avatar()`,
 and their documentation, but I have not added changelog since I'm unsure
 should we log changes in one of attributes.

 I have also updated tests.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/54363>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list