⚡ NEW: Changeset/ - HD Photos!

Get WordPress

Make WordPress Core

Changeset 58822


Ignore:
Timestamp:
07/29/2024 01:57:11 AM (17 months ago)
Author:
peterwilsoncc
Message:

Users: Always use HTTPS URLs for Gravatar links.

Modifies gravatar image URLs to always use the HTTPS version from secure.gravatar.com.

Gravatar now redirects HTTP image requests to their HTTPS equivalent, resulting in redirects for sites running over an HTTP connection (is_ssl() === false). Since the introduction of HTTP/2 the use of sub-domains for different hashes ([1-3].gravatar.com) now represents a performance hinderance rather than improvement.

The scheme passed to get_avatar_data() is now ignored for the generation of Gravatar URLs but the setting retained to avoid introducing bugs for sites using either local avatars or third party providers.

Props neoxx, SergeyBiryukov, sippis, peterwilsoncc, mukesh27, costdev, dd32.
Fixes #37454.

Location:
trunk
Files:
4 edited

Legend:

Unmodified
Added
Removed

  • trunk/src/wp-includes/link-template.php

    r58807 r58822  
    43294329 *
    43304330 * @since 4.2.0
     4331 * @since 6.7.0 Gravatar URLs always use HTTPS.
    43314332 *
    43324333 * @param mixed $id_or_email The avatar to retrieve. Accepts a user ID, Gravatar MD5 hash,
     
    43594360 *                                  Default is the value of the 'avatar_rating' option.
    43604361 *     @type string $scheme         URL scheme to use. See set_url_scheme() for accepted values.
     4362 *                                  For Gravatars this setting is ignored and HTTPS is used to avoid
     4363 *                                  unnecessary redirects. The setting is retained for systems using
     4364 *                                  the {@see 'pre_get_avatar_data'} filter to customize avatars.
    43614365 *                                  Default null.
    43624366 *     @type array  $processed_args When the function returns, the value will be the processed/sanitized $args
     
    45094513    if ( $email_hash ) {
    45104514        $args['found_avatar'] = true;
    4511         $gravatar_server      = hexdec( $email_hash[0] ) % 3;
    4512     } else {
    4513         $gravatar_server = rand( 0, 2 );
    45144515    }
    45154516
     
    45214522    );
    45224523
    4523     if ( is_ssl() ) {
    4524         $url = 'https://secure.gravatar.com/avatar/' . $email_hash;
    4525     } else {
    4526         $url = sprintf( 'http://%d.gravatar.com/avatar/%s', $gravatar_server, $email_hash );
    4527     }
     4524    /*
     4525     * Gravatars are always served over HTTPS.
     4526     *
     4527     * The Gravatar website redirects HTTP requests to HTTPS URLs so always
     4528     * use the HTTPS scheme to avoid unnecessary redirects.
     4529     */
     4530    $url = 'https://secure.gravatar.com/avatar/' . $email_hash;
    45284531
    45294532    $url = add_query_arg(
    45304533        rawurlencode_deep( array_filter( $url_args ) ),
    4531         set_url_scheme( $url, $args['scheme'] )
     4534        $url
    45324535    );
    45334536

  • trunk/tests/phpunit/tests/avatar.php

    r56547 r58822  
    1212    public function test_get_avatar_url_gravatar_url() {
    1313        $url = get_avatar_url( 1 );
    14         $this->assertSame( preg_match( '|^http?://[0-9]+.gravatar.com/avatar/[0-9a-f]{32}\?|', $url ), 1 );
     14        $this->assertSame( preg_match( '|^https?://secure.gravatar.com/avatar/[0-9a-f]{32}\?|', $url ), 1 );
    1515    }
    1616
     
    5757
    5858    /**
    59      * @ticket 21195
     59     * Ensures the get_avatar_url always returns an HTTPS scheme for gravatars.
     60     *
     61     * @ticket 21195
     62     * @ticket 37454
     63     *
     64     * @covers ::get_avatar_url
    6065     */
    6166    public function test_get_avatar_url_scheme() {
    6267        $url = get_avatar_url( 1 );
    63         $this->assertSame( preg_match( '|^http://|', $url ), 1 );
     68        $this->assertSame( preg_match( '|^https://|', $url ), 1, 'Avatars should default to the HTTPS scheme' );
    6469
    6570        $args = array( 'scheme' => 'https' );
    6671        $url  = get_avatar_url( 1, $args );
    67         $this->assertSame( preg_match( '|^https://|', $url ), 1 );
     72        $this->assertSame( preg_match( '|^https://|', $url ), 1, 'Requesting the HTTPS scheme should be respected' );
     73
     74        $args = array( 'scheme' => 'http' );
     75        $url  = get_avatar_url( 1, $args );
     76        $this->assertSame( preg_match( '|^https://|', $url ), 1, 'Requesting the HTTP scheme should return an HTTPS URL to avoid redirects' );
    6877
    6978        $args = array( 'scheme' => 'lolcat' );
    7079        $url  = get_avatar_url( 1, $args );
    71         $this->assertSame( preg_match( '|^lolcat://|', $url ), 0 );
     80        $this->assertSame( preg_match( '|^lolcat://|', $url ), 0, 'Unrecognized schemes should be ignored' );
     81        $this->assertSame( preg_match( '|^https://|', $url ), 1, 'Unrecognized schemes should return an HTTPS URL' );
    7282    }
    7383
     
    258268
    259269        $this->assertTrue( is_avatar_comment_type( $comment_type ) );
    260         $this->assertMatchesRegularExpression( '|^http?://[0-9]+.gravatar.com/avatar/[0-9a-f]{32}\?|', $actual_data['url'] );
     270        $this->assertMatchesRegularExpression( '|^https?://secure.gravatar.com/avatar/[0-9a-f]{32}\?|', $actual_data['url'] );
    261271    }
    262272

  • trunk/tests/phpunit/tests/rest-api/rest-schema-setup.php

    r58340