Users: Always use HTTPS URLs for Gravatar links.

Modifies gravatar image URLs to always use the HTTPS version from secure.gravatar.com. 

Gravatar now redirects HTTP image requests to their HTTPS equivalent, resulting in redirects for sites running over an HTTP connection (`is_ssl() === false`). Since the introduction of HTTP/2 the use of sub-domains for different hashes ([1-3].gravatar.com) now represents a performance hinderance rather than improvement.

The scheme passed to `get_avatar_data()` is now ignored for the generation of Gravatar URLs but the setting retained to avoid introducing bugs for sites using either local avatars or third party providers.

Props neoxx, SergeyBiryukov, sippis, peterwilsoncc, mukesh27, costdev, dd32.
Fixes #37454.


Built from https://develop.svn.wordpress.org/trunk@58822


git-svn-id: http://core.svn.wordpress.org/trunk@58218 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Peter Wilson 2024-07-29 01:59:18 +00:00
parent 05e35e900e
commit 062fb886f3
2 changed files with 13 additions and 10 deletions

View File

@ -4328,6 +4328,7 @@ function is_avatar_comment_type( $comment_type ) {
* Retrieves default data about the avatar. * Retrieves default data about the avatar.
* *
* @since 4.2.0 * @since 4.2.0
* @since 6.7.0 Gravatar URLs always use HTTPS.
* *
* @param mixed $id_or_email The avatar to retrieve. Accepts a user ID, Gravatar MD5 hash, * @param mixed $id_or_email The avatar to retrieve. Accepts a user ID, Gravatar MD5 hash,
* user email, WP_User object, WP_Post object, or WP_Comment object. * user email, WP_User object, WP_Post object, or WP_Comment object.
@ -4358,6 +4359,9 @@ function is_avatar_comment_type( $comment_type ) {
* - 'X' (even more mature than above) * - 'X' (even more mature than above)
* Default is the value of the 'avatar_rating' option. * Default is the value of the 'avatar_rating' option.
* @type string $scheme URL scheme to use. See set_url_scheme() for accepted values. * @type string $scheme URL scheme to use. See set_url_scheme() for accepted values.
* For Gravatars this setting is ignored and HTTPS is used to avoid
* unnecessary redirects. The setting is retained for systems using
* the {@see 'pre_get_avatar_data'} filter to customize avatars.
* Default null. * Default null.
* @type array $processed_args When the function returns, the value will be the processed/sanitized $args * @type array $processed_args When the function returns, the value will be the processed/sanitized $args
* plus a "found_avatar" guess. Pass as a reference. Default null. * plus a "found_avatar" guess. Pass as a reference. Default null.
@ -4508,9 +4512,6 @@ function get_avatar_data( $id_or_email, $args = null ) {
if ( $email_hash ) { if ( $email_hash ) {
$args['found_avatar'] = true; $args['found_avatar'] = true;
$gravatar_server = hexdec( $email_hash[0] ) % 3;
} else {
$gravatar_server = rand( 0, 2 );
} }
$url_args = array( $url_args = array(
@ -4520,15 +4521,17 @@ function get_avatar_data( $id_or_email, $args = null ) {
'r' => $args['rating'], 'r' => $args['rating'],
); );
if ( is_ssl() ) { /*
$url = 'https://secure.gravatar.com/avatar/' . $email_hash; * Gravatars are always served over HTTPS.
} else { *
$url = sprintf( 'http://%d.gravatar.com/avatar/%s', $gravatar_server, $email_hash ); * The Gravatar website redirects HTTP requests to HTTPS URLs so always
} * use the HTTPS scheme to avoid unnecessary redirects.
*/
$url = 'https://secure.gravatar.com/avatar/' . $email_hash;
$url = add_query_arg( $url = add_query_arg(
rawurlencode_deep( array_filter( $url_args ) ), rawurlencode_deep( array_filter( $url_args ) ),
set_url_scheme( $url, $args['scheme'] ) $url
); );
/** /**

View File

@ -16,7 +16,7 @@
* *
* @global string $wp_version * @global string $wp_version
*/ */
$wp_version = '6.7-alpha-58821'; $wp_version = '6.7-alpha-58822';
/** /**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema. * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.