View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0012879 | mantisbt | bugtracker | public | 2011-03-24 18:33 | 2011-04-05 15:54 |
Reporter | Keithius | Assigned To | dhx | ||
Priority | normal | Severity | minor | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Platform | Firefox 4 | ||||
Product Version | 1.2.4 | ||||
Target Version | 1.2.5 | Fixed in Version | 1.2.5 | ||
Summary | 0012879: Gravatars don't appear in Firefox 4 | ||||
Description | In Firefox 4, Gravatars do not appear when they should. They appear in IE, Chrome, and Firefox 3. Firefox error console shows a warning, e.g.: Warning: CSP: Directive "img-src http://www.mantisbt.org https://secure.gravatar.com:443" violated by http://www.gravatar.com/avatar.php?gravatar_id=a58f8e253a2233cd8647937dddd9cd68&default=http%3A%2F%2Fwww.mantisbt.org%2Fbugs%2Fimages%2Fno_avatar.png&size=80&rating=G This is not limited just to the mantisbt.org site, it affects any site using MantisBT that has Gravatars enabled. | ||||
Steps To Reproduce |
Expected: Gravatars to appear next to user's names in comments. | ||||
Additional Information | Confirmed that this affects only Firefox 4 - did a clean install of Windows 7 and Firefox 4 just to be sure it wasn't any plugins or addons. Doing a View > Page Source shows the code for the Gravatar is there; clicking the link in the source code displays the Gravatar image correctly. Going into about:config and changing the setting security.csp.enable from the default value of TRUE to FALSE causes the Gravatars to appear normally again. Appears to have something to do with the "Content Security Policy" which was added in Firefox 4: http://people.mozilla.com/~bsterne/content-security-policy/download.html Since Gravatars appear correctly in Firefox 4 in other (non MantisBT) sites that use them, I'm not sure where the problem ultimately is - whether it's something with Gravatar's site or with the MantisBT implementation. | ||||
Tags | avatar | ||||
It may be worth noting that WordPress, which also uses Gravatars, generates the Gravatar URL slightly differently. For example, the URL generated here on Mantis for my Gravatar (stripping out the size & rating parameters for simplicity) is: http://www.gravatar.com/avatar.php?gravatar_id=51c993a6256194924615053475a14238 The same Gravatar URL generated by WordPress (again, without the size or rating parameters for simplicity's sake) is: http://1.gravatar.com/avatar/51c993a6256194924615053475a14238 I'm not sure if this makes any difference whatsoever, though. (A quick test on my own hosted MantisBT installation seems to show that it does not, but this is quickly getting over my head.) |
|
Thanks for the bug report. I'll fix this in a few hours time. We just need to add http://www.gravatar.com to the list of CSP exceptions for the img-src directive. I think this occurs within core/http_api.php if you're looking to quickly fix it yourself. |
|
After reviewing the latest code I'm not seeing why this bug would occur. When MantisBT is loaded within a HTTPS environment, Gravatar URLs will direct to secure.gravatar.com:443 instead of www.gravatar.com:80. The Content-Security-Policy setting will do the same thing. Are you able to try the latest nightly build of 1.2.x and are you able to let me know whether this issue can be repeated for HTTP and/or HTTPS? |
|
Tested with nightly build mantisbt-1.2.4-2011-03-25-master-1.2.x-f190021; confirmed issue is reproducible over both HTTP and HTTPS. The HTTP warning is: Warning: CSP: Directive "img-src http://www.[my-site-redacted].com https://secure.gravatar.com:443" violated by http://www.gravatar.com/avatar.php?gravatar_id=9e9be8c7b05f82d1461c791e93ba93e5&default=identicon&size=80&rating=G The HTTPS warning is: Warning: CSP: Directive "img-src https://www.[my-site-redacted].com http://www.gravatar.com:80" violated by https://secure.gravatar.com/avatar.php?gravatar_id=9e9be8c7b05f82d1461c791e93ba93e5&default=identicon&size=80&rating=G |
|
Oh my - I think I just realized what the problem is when I saw what I just wrote. It looks like the function http_security_headers() in core/http_api.php has things backwards! The original code is: if ( isset( $_SERVER['HTTPS'] ) && ( utf8_strtolower( $_SERVER['HTTPS'] ) != 'off' ) ) { But it should be: if ( isset( $_SERVER['HTTPS'] ) && ( utf8_strtolower( $_SERVER['HTTPS'] ) != 'off' ) ) { I've made this modification to my install and can confirm that it does indeed work. |
|
Keith, thanks for debugging the issue and providing the solution. I have committed your change to both branches of MantisBT. |
|
MantisBT: master da65e7f6 2011-03-25 11:09 Details Diff |
Fix 0012879: Gravatars don't work with Content-Security-Policy Gravatar URLs are modified depending on whether the MantisBT instance is being accessed via secure HTTP. If MantisBT is browsed via secure HTTP then Gravatars are loaded via secure HTTP from gravatar.com. The logic was incorrectly reversed in the code dealing with Gravatar/X-Content-Security-Policy integration. This led to Gravatars being blocked entirely (both both plain and secure HTTP) in browsers that implement X-Content-Security-Policy. Thank you to Keith Survell for reporting, debugging and providing the solution to this problem. |
Affected Issues 0012879 |
|
mod - core/http_api.php | Diff File | ||
MantisBT: master-1.2.x 43f20507 2011-03-25 11:09 Details Diff |
Fix 0012879: Gravatars don't work with Content-Security-Policy Gravatar URLs are modified depending on whether the MantisBT instance is being accessed via secure HTTP. If MantisBT is browsed via secure HTTP then Gravatars are loaded via secure HTTP from gravatar.com. The logic was incorrectly reversed in the code dealing with Gravatar/X-Content-Security-Policy integration. This led to Gravatars being blocked entirely (both both plain and secure HTTP) in browsers that implement X-Content-Security-Policy. Thank you to Keith Survell for reporting, debugging and providing the solution to this problem. |
Affected Issues 0012879 |
|
mod - core/http_api.php | Diff File |