0012879: Gravatars don't appear in Firefox 4 - MantisBT - Signup temporarily disabled due to spam

ID	Project	Category	View Status	Date Submitted	Last Update

0012879	mantisbt	bugtracker	public	2011-03-24 18:33	2011-04-05 15:54

Reporter	Keithius	Assigned To	dhx
Priority	normal	Severity	minor	Reproducibility	always
Status	closed	Resolution	fixed
Platform	Firefox 4
Product Version	1.2.4
Target Version	1.2.5	Fixed in Version	1.2.5

Summary	0012879: Gravatars don't appear in Firefox 4
Description	In Firefox 4, Gravatars do not appear when they should. They appear in IE, Chrome, and Firefox 3. Firefox error console shows a warning, e.g.: Warning: CSP: Directive "img-src http://www.mantisbt.org https://secure.gravatar.com:443" violated by http://www.gravatar.com/avatar.php?gravatar_id=a58f8e253a2233cd8647937dddd9cd68&default=http%3A%2F%2Fwww.mantisbt.org%2Fbugs%2Fimages%2Fno_avatar.png&size=80&rating=G This is not limited just to the mantisbt.org site, it affects any site using MantisBT that has Gravatars enabled.
Steps To Reproduce	Install Firefox 4. Visit any site running MantisBT that has Gravatars enabled. Expected: Gravatars to appear next to user's names in comments. Actual: Gravatars do not appear at all.
Additional Information	Confirmed that this affects only Firefox 4 - did a clean install of Windows 7 and Firefox 4 just to be sure it wasn't any plugins or addons. Doing a View > Page Source shows the code for the Gravatar is there; clicking the link in the source code displays the Gravatar image correctly. Going into about:config and changing the setting security.csp.enable from the default value of TRUE to FALSE causes the Gravatars to appear normally again. Appears to have something to do with the "Content Security Policy" which was added in Firefox 4: http://people.mozilla.com/~bsterne/content-security-policy/download.html Since Gravatars appear correctly in Firefox 4 in other (non MantisBT) sites that use them, I'm not sure where the problem ultimately is - whether it's something with Gravatar's site or with the MantisBT implementation.
Tags	avatar

Keithius 2011-03-24 18:35 reporter ~0028468	This may also be related to 0012824 and/or 0010850.

Keithius 2011-03-24 18:43 reporter ~0028469	It may be worth noting that WordPress, which also uses Gravatars, generates the Gravatar URL slightly differently. For example, the URL generated here on Mantis for my Gravatar (stripping out the size & rating parameters for simplicity) is: http://www.gravatar.com/avatar.php?gravatar_id=51c993a6256194924615053475a14238 The same Gravatar URL generated by WordPress (again, without the size or rating parameters for simplicity's sake) is: http://1.gravatar.com/avatar/51c993a6256194924615053475a14238 I'm not sure if this makes any difference whatsoever, though. (A quick test on my own hosted MantisBT installation seems to show that it does not, but this is quickly getting over my head.)

dhx 2011-03-24 23:53 reporter ~0028471	Thanks for the bug report. I'll fix this in a few hours time. We just need to add http://www.gravatar.com to the list of CSP exceptions for the img-src directive. I think this occurs within core/http_api.php if you're looking to quickly fix it yourself.

dhx 2011-03-25 07:44 reporter ~0028477	After reviewing the latest code I'm not seeing why this bug would occur. When MantisBT is loaded within a HTTPS environment, Gravatar URLs will direct to secure.gravatar.com:443 instead of www.gravatar.com:80. The Content-Security-Policy setting will do the same thing. Are you able to try the latest nightly build of 1.2.x and are you able to let me know whether this issue can be repeated for HTTP and/or HTTPS?

Keithius 2011-03-25 08:31 reporter ~0028479	Tested with nightly build mantisbt-1.2.4-2011-03-25-master-1.2.x-f190021; confirmed issue is reproducible over both HTTP and HTTPS. The HTTP warning is: Warning: CSP: Directive "img-src http://www.[my-site-redacted].com https://secure.gravatar.com:443" violated by http://www.gravatar.com/avatar.php?gravatar_id=9e9be8c7b05f82d1461c791e93ba93e5&default=identicon&size=80&rating=G The HTTPS warning is: Warning: CSP: Directive "img-src https://www.[my-site-redacted].com http://www.gravatar.com:80" violated by https://secure.gravatar.com/avatar.php?gravatar_id=9e9be8c7b05f82d1461c791e93ba93e5&default=identicon&size=80&rating=G

Keithius 2011-03-25 08:39 reporter ~0028480	Oh my - I think I just realized what the problem is when I saw what I just wrote. It looks like the function http_security_headers() in core/http_api.php has things backwards! The original code is: if ( isset( $_SERVER['HTTPS'] ) && ( utf8_strtolower( $_SERVER['HTTPS'] ) != 'off' ) ) { $t_avatar_img_allow = "; img-src 'self' http://www.gravatar.com:80"; } else { $t_avatar_img_allow = "; img-src 'self' https://secure.gravatar.com:443"; } But it should be: if ( isset( $_SERVER['HTTPS'] ) && ( utf8_strtolower( $_SERVER['HTTPS'] ) != 'off' ) ) { $t_avatar_img_allow = "; img-src 'self' https://secure.gravatar.com:443"; } else { $t_avatar_img_allow = "; img-src 'self' http://www.gravatar.com:80"; } I've made this modification to my install and can confirm that it does indeed work.

dhx 2011-03-25 11:19 reporter ~0028482	Keith, thanks for debugging the issue and providing the solution. I have committed your change to both branches of MantisBT.

MantisBT: master da65e7f6 2011-03-25 11:09 dhx Details Diff	Fix 0012879: Gravatars don't work with Content-Security-Policy Gravatar URLs are modified depending on whether the MantisBT instance is being accessed via secure HTTP. If MantisBT is browsed via secure HTTP then Gravatars are loaded via secure HTTP from gravatar.com. The logic was incorrectly reversed in the code dealing with Gravatar/X-Content-Security-Policy integration. This led to Gravatars being blocked entirely (both both plain and secure HTTP) in browsers that implement X-Content-Security-Policy. Thank you to Keith Survell for reporting, debugging and providing the solution to this problem.		Affected Issues 0012879
	mod - core/http_api.php		Diff File
MantisBT: master-1.2.x 43f20507 2011-03-25 11:09 dhx Details Diff	Fix 0012879: Gravatars don't work with Content-Security-Policy Gravatar URLs are modified depending on whether the MantisBT instance is being accessed via secure HTTP. If MantisBT is browsed via secure HTTP then Gravatars are loaded via secure HTTP from gravatar.com. The logic was incorrectly reversed in the code dealing with Gravatar/X-Content-Security-Policy integration. This led to Gravatars being blocked entirely (both both plain and secure HTTP) in browsers that implement X-Content-Security-Policy. Thank you to Keith Survell for reporting, debugging and providing the solution to this problem.		Affected Issues 0012879
	mod - core/http_api.php		Diff File