View Issue Details

IDProjectCategoryView StatusLast Update
0021165mantisbtuipublic2016-07-09 19:28
Reporteratrol Assigned Tovboctor  
PrioritynormalSeveritymajorReproducibilityhave not tried
Status closedResolutionfixed 
Product Version1.3.0-rc.2 
Target Version1.3.0Fixed in Version1.3.0 
Summary0021165: Using database configuration to enable gravatars does not work
Description

The CSP header looks like the following line if show_avatar is enabled in database using adm_config_report.php:

content-security-policy:"default-src 'self'; frame-ancestors 'none'; style-src 'self'; script-src 'self'"

In FF you will see no avatar images because of this.
The FF console shows the CSP violation.

Using Edge shows broken avatar images. (see screen shot)

Enabling gravatars using config_inc.php works as the CSP header looks like

content-security-policy:"img-src 'self' http://www.gravatar.com/"

I had a short look at the code. One problem seems to be that config_get and config_get_global are used to get the show_avatar setting.
So config_get might deliver 1 whereas config_get_global might deliver 0.

The first question is: Should we go on to allow gravatar configuration in database?
It allows us to enable/disable gravatars based on project and/or user.
We could add show_avatar to $g_global_settings if this functionality is not needed.

TagsNo tags attached.
Attached Files
EdgeAvatarsCSP.PNG (13,767 bytes)   
EdgeAvatarsCSP.PNG (13,767 bytes)   

Relationships

related to 0021164 closedsyncguru CSP headers are no longer sent when using current master branch 

Activities

Related Changesets

MantisBT: master-1.3.x d9ea9992

2016-06-29 19:55

vboctor


Details Diff
show_avatar config in db doesn't work

Fixes 0021165
Affected Issues
0021165
mod - plugins/Gravatar/Gravatar.php Diff File

MantisBT: master 1ee1fa6b

2016-06-29 19:55

vboctor


Details Diff
show_avatar config in db doesn't work

Fixes 0021165
Affected Issues
0021165
mod - plugins/Gravatar/Gravatar.php Diff File