746203 - Gravatar images violate CSP

Status: VERIFIED FIXED

(Participation Infrastructure :: Phonebook, defect)

Description

[James Socol [:jsocol, :james]]

Images from gravatar servers violate the current CSP. We need to whitelist gravatar in the img-src directive. c.f. the CSP_IMG_SRC setting.

Comment 1

[[github robot]]

Commits pushed to master at https://github.com/mozilla/mozillians

https://github.com/mozilla/mozillians/commit/5cbd32c7b850f2188bf5fc29641cf96ac25a6b9c
[Fix bug 746203] Add gravatar to img-src whitelist.

https://github.com/mozilla/mozillians/commit/816c82aae357a93e297bf3e5b5aaab4f688db5fc
Merge pull request #221 from jsocol/img-src

[Fix bug 746203] Add gravatar to img-src whitelist.

Comment 2

[Matt Brandt [:mbrandt]]

I'm seeing some new interesting CSP violation emails:

Content Security Policy Violation Report

Request: GET https://mozillians-dev.allizom.org/en-US/search?q=f HTTP/1.1
Blocked URI: https://secure.gravatar.com/avatar/1f41f3ef916e1c1fc9401cf3212a6708?s=175&r=pg&d=https%3A%2F%2Fmozillians-dev.allizom.org%2Fmedia%2Fimg%2Funknown.png
Violation: img-src https://mozillians-dev.allizom.org:443 http://statse.webtrendslive.com:80 https://statse.webtrendslive.com:443 http://www.gravatar.com:80
Request Headers:

Comment 3

[[github robot]]

Commit pushed to master at https://github.com/mozilla/mozillians

https://github.com/mozilla/mozillians/commit/a9a32d200e40b18c5d8ff0d7f1c81ab39cab2e6d
[Fix bug 746203] Whitelist HTTPS gravatars.

Comment 4

[James Socol [:jsocol, :james]]

Also pushed to next: https://github.com/mozilla/mozillians/compare/ab1be9f...13464ef

Comment 5

[Matt Brandt [:mbrandt]]

Bumping to verified - no more CSP violations for Gravatar images are being received. Thx James.