2768: Load gravatar pictures via https

niklas.h*********@gmai***** (Google Code) (Is this you? Claim this profile.)
chipx86
 chipx86
Nov. 6, 2012 
Serving my reviewboard via https, I get something like:

"Your connection to review.nh2.me is encrypted with 256-bit encryption. However, this page includes other resources which are not secure. These resources can be viewed by others while in transit and can be modified by an attacker to change the look of the page."

This is because my site is served as https, but the gravatars are loaded via plain http.

It would be an easy fix to change the URL to https in 'url = "http://www.gravatar.com/avatar/%s" % email_hash' in djblets/gravatars/templatetags/gravatars.py.
chipx86
#1 chipx86 
Really, we should detect if the request is using HTTPS, and choose the proper URL from that.

Where do you get that message? We have a few servers serving up RB with HTTPS, and haven't seen that in a user-visible location.
  • +Confirmed
  • +EasyFix
    +Milestone-Release1.6.x
#2 niklas.h*********@gmai***** (Google Code) (Is this you? Claim this profile.) 
Browsers show that message, this particular wording appears in Chromium. Some browsers also show pop-ups for this.
chipx86
#3 chipx86 
Can you show me a screenshot? Seriously haven't seen this on any of the servers we administer, with any browser, so I'm curious why.
#4 niklas.h*********@gmai***** (Google Code) (Is this you? Claim this profile.) 
Sure, screenshots attached.
chipx86
#5 chipx86 
Fixed on Djblets release-0.6.x (f436c5e).

This will be in Review Board 1.6.14.
  • -Confirmed
    +Fixed
  • +Djblets
  • +chipx86