Make WordPress Core

Opened 3 years ago

Last modified 3 years ago

#54363 new enhancement

Always load gravatars over HTTPS

Reported by: dimadin's profile dimadin Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: General Keywords: has-patch has-unit-tests
Focuses: Cc:


By default, when page is loaded over HTTP, gravatars are also loaded over HTTP. This can and should be changed.

There are two things here:

  • First thing is that default URL base in get_avatar_data() needs to be changed. Now, if page is loaded over HTTP, it uses domain sharding technique to load gravatar from one of three hostnames, (0|1|2) With HTTP/2, domain sharding is obsolete. When page is loaded over HTTPS, gravatar is (correctly) always loaded from one hostname, I have changed this behavior so that only hostname used is All of these five hostnames are behind CDN so speed wise it doesn't matter what hostname is used, but someone from @automattic can give review.
  • Second thing is that default URL scheme used in get_avatar_data() needs to be changed. Now, default scheme is null. Since that value is passed to set_url_scheme() it means that scheme of URL is changed to scheme of loaded page. To be able to always have HTTPS scheme by default, default scheme value need to be changed from null to https. For this, I have updated get_avatar_data(), get_avatar_url() and get_avatar(), and their documentation, but I have not added changelog since I'm unsure should we log changes in one of attributes.

I have also updated tests.

Change History (1)

Note: See TracTickets for help on using tickets.