Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Thomas Brinegar 84 posts 162 karma points
    Apr 28, 2014 @ 20:30
    Thomas Brinegar
    2

    HTTPS Backoffice loading unsecure content from Gravatar.

    HTTPS security is compromised by http://www.gravatar.com/avatar/XXXXEMAIL-HASHXXXXX.jpg?s=64&d=mm
    

    This is a delayed response since the image is not loaded until the Umbraco logo fades out and then into the Gravatar image. I would prefer to replace this image (and remove dependence from Gravatar) with one that is hosted locally on the website. Is there any easy way to do this?

    I have tried rewriting the contents of:

    • /Umbraco/Views/Directives/umb-avatar.html (tried a hard-coded image path with just src attribute, didn't work)
    • /Umbraco/Js/umbraco.controllers.js (commented out the gravatar image replacement line of JS, didn't work)

    Any suggestions are appreciated!

  • Thomas Brinegar 84 posts 162 karma points
    May 05, 2014 @ 15:05
    Thomas Brinegar
    0

    Anyone else experience this when using the back office across SSL?

  • Henk Jan Pluim 10 posts 62 karma points
    May 06, 2014 @ 16:15
    Henk Jan Pluim
    0

    Hi Thomas, 

    I think you have to make a difference between two things the default umbraco logo that is loaded when an user logs in and after that when an emailhash is used to set the gravatar image. The first thing you could override in the umbraco.controllers.js file:

    line 1174 & line 1193     $scope.avatar = "assets/img/application/logo.png"

    After that this there is a check if the emailHash has been set, this is used to get the gravatar image, i think here you implement your own custom thing yourself?

    if($scope.user.emailHash){ ...
    
    line 1270: $scope.avatar = "http://www.gravatar.com/avatar/" + $scope.user.emailHash + ".jpg?s=64&d=mm"
  • Thomas Brinegar 84 posts 162 karma points
    May 06, 2014 @ 16:22
    Thomas Brinegar
    0

    Thanks for the reply Henk. This was my initial approach but the back office doesn't appear to handle the Gravatar image any differently:

        if($scope.user.emailHash){
            $timeout(function () {                
                //yes this is wrong.. 
                $("#avatar-img").fadeTo(1000, 0, function () {
                    $timeout(function () {
                        //this can be null if they time out
                        /*if ($scope.user && $scope.user.emailHash) {
                            $scope.avatar = "https://www.gravatar.com/avatar/" + $scope.user.emailHash + ".jpg?s=64&d=mm";
                        }*/                     
                        //$scope.avatar = "https://www.gravatar.com/avatar/" + $scope.user.emailHash + ".jpg?s=64&d=mm";
                        $scope.avatar = "/media/logo.png";
                    });
                    $("#avatar-img").fadeTo(1000, 1);
                });
    
              }, 3000);  
        }
    

    I had tried resetting the web service in IIS as well and touching the web.config file but do not see any changes from the default Gravatar image. Notice in the commented out lines I had tried to load the standard image over HTTPS but its as if the updated JS does not get recognized in the back office.

  • Henk Jan Pluim 10 posts 62 karma points
    May 06, 2014 @ 22:55
    Henk Jan Pluim
    0

    Seems to me it could be a caching issue in your browser? Maybe you could force a refresh of the controller js file to make sure its correctly loaded after your latest changes? To do this hit ctrl-f5 after being logged into your backoffice: http://[yourdomain]//umbraco/js/umbraco.controllers.js

    After changing the controller file as mentioned above i could immediatly see the changes in the gravat, with your sample this would be:

    line 1174& line 1193     $scope.avatar ="/media/logo.png";

    Hope this will help you further...

  • Thomas Brinegar 84 posts 162 karma points
    May 06, 2014 @ 23:37
    Thomas Brinegar
    0

    I had a feeling it may have been a cacheing issue. I know I have tried explicitely reloading the umbraco.controllers.js file in my browser, but it didn't make a change on the calling page.

    I will try to do a full cache reset on my browser tomorrow morning when I am in the office and see if that resolves it.

    Thanks again!

  • Thomas Brinegar 84 posts 162 karma points
    May 09, 2014 @ 15:12
    Thomas Brinegar
    0

    I am not sure that it is a caching issue. I had tried clearing my cache and even switching browsers but am still not seeing any changes or results.

  • Henk Jan Pluim 10 posts 62 karma points
    May 09, 2014 @ 15:35
    Henk Jan Pluim
    0

    Hi Thomas,

    Sorry to hear this, maybe its an idea to get the full umbraco.controllers.js file shared, so i can take a look into this file? Also it is possible to debug this file with the chrome browser developer tools (f12) (sources tab) and than find the js file to debug. Than place breakpoint on the different lines mentioned above. So you can find out what exactly happens.

     

     

  • Thomas Brinegar 84 posts 162 karma points
    May 09, 2014 @ 15:50
    Thomas Brinegar
    0

    I had briefly attempted to debug it this way Henk, but couldn't find the umbraco.controllers.js resource in the Sources tab. Screenshot below:

    enter image description here

  • Henk Jan Pluim 10 posts 62 karma points
    May 09, 2014 @ 16:49
    Henk Jan Pluim
    0

    Hi Thomas,

    I checked it and you are right, you cant find the file because its generated by the dependencyhandler, maybe this is also why its difficult to clear the cache. I could find the code looking into this dependencyhandler see screen below and place a breakpoint. And with mouse over look for some values. 

  • Thomas Brinegar 84 posts 162 karma points
    May 09, 2014 @ 18:08
    Thomas Brinegar
    0

    Hmmm, looks like DependencyHandler.axd is not reading the updated JavaScript. I still see the old Gravatar URL code contained here. I have tried loading just the DependencyHandler.axd resource (which has a long unique querystring) in a new tab and tried refreshing/reloading the resource, but it does not seem to take into consideration the changes that were made to the umbraco.controllers.js file.

    Is there a way to refresh the .axd resource? I've tried touching the web.config and restarting the webserver to no avail.

  • Henk Jan Pluim 10 posts 62 karma points
    May 09, 2014 @ 19:54
    Henk Jan Pluim
    1

    Maybe by deleting the ClientDependency folder in App_Data\TEMP you can force this. Also make sure you have write permissions set on this folder.

  • Thomas Brinegar 84 posts 162 karma points
    May 09, 2014 @ 21:25
    Thomas Brinegar
    0

    Eureka! Thanks Henk, that did the trick.

  • marcelh 170 posts 470 karma points
    Oct 02, 2014 @ 22:41
    marcelh
    0

    Hmmm, having the same problem here. Running Umbraco 7.1.6 on https, with umbracoUseSSL set to true. Clearing the App_Data clientdepencies does not solve it for me :-( Any other ideas?

  • Thomas Brinegar 84 posts 162 karma points
    Oct 03, 2014 @ 14:12
    Thomas Brinegar
    0

    Hi Marcel!

    Did you make the change to the umbraco.controllers.js file? See earlier in this thread where I mentioned the line numbers you may need to change to point the image source to an alternate image. I replaced that string with an on-site image using absolute pathing to share the HTTPS protocol.

    Once that change is in place, clear App_Data and then touch the web.config to see if that resolves it for you. Maybe clear your browser cache too in case that is the culprit.

  • marcelh 170 posts 470 karma points
    Oct 03, 2014 @ 14:13
    marcelh
    0

    Ai! Thanks Tomas, I missed that change!

  • MuirisOG 373 posts 1271 karma points
    Oct 14, 2014 @ 11:44
    MuirisOG
    0

    (Newbie question)
    Our set up is like Fort Knox and won't allow us to use Gravatar.
    Is this the only alternative?
    Are there any other links out to the web that we should know about?

  • Thomas Brinegar 84 posts 162 karma points
    Oct 15, 2014 @ 19:28
    Thomas Brinegar
    0

    Hey NPTUser,

    If you look back in this thread, we discussed where to make changes in the respective javascript files. You can hardcode an image path located on your own web server as opposed to Gravatar, which was the same case in my circumstance.

    Be sure to clear your cache and empty the ClientDependency folder in App_Data\TEMP as mentioned by Henk. Might not hurt to touch the web.config too.

  • MuirisOG 373 posts 1271 karma points
    Oct 15, 2014 @ 19:41
    MuirisOG
    0

    Thanks Thomas, that worked a treat.
    As our development area is behind a security firewall, this has been one of the first hurdles I have had to address, so many thanks for posting this solution.

  • Thomas Brinegar 84 posts 162 karma points
    Oct 15, 2014 @ 19:46
    Thomas Brinegar
    0

    Absolutely, glad it worked!

  • LeszekP 27 posts 78 karma points
    Jun 19, 2015 @ 14:09
    LeszekP
    0

    Why the Avatar is not downloaded by secure HTTPS, but by insecure http?

    Gravatar.com works on https.

    Even if website runs on http, Gravatar image should be got using https.

    Always use https if available.

  • LeszekP 27 posts 78 karma points
    Jun 19, 2015 @ 14:14
    LeszekP
    0

    More info on http/https antipatern topic:

    https://twitter.com/paul_irish/status/588502455530311680

  • Matt Kemp 9 posts 64 karma points
    Apr 11, 2016 @ 23:27
    Matt Kemp
    0

    To update, the line numbers in umbraco.controllers.js to change are 99-125. I just comment out the whole section.

    My vote would definitely be for a config option to choose the image in the top left (which would then not use gravatar if specified).

    None of my CMS users have a gravatar (I can see it's more useful for comments on a blog), and I've secured my site with the Content-Security-Policy header so I don't want to have to add gravatar.com to the policy when it's not even used.

  • Iain Ogston 4 posts 74 karma points
    Sep 10, 2018 @ 14:40
    Iain Ogston
    0

    This still seems to be an annoying issue. Just deployed Umbraco 7.12.1 into a very secure Azure setup (highly firewalled) and our Users page took over 3 minutes to load for only 20 users.

    Looking at the code in \src\Umbraco.core\Models\UserExtensions.cs I saw that the API GetUserAvatarUrls returns instantly if you set the avatar for the user to "none", otherwise times out after 10 seconds PER USER.

    update [UmbracoUser] set avatar = 'none'

    Problem solved, the users page now loads instantly. Obviously not a perfect solution as I suspect new users will be created with the column set to NULL which will cause a 10 second timeout. However, our user community change is low so we'll work with this.

    Would be very nice to have a config setting to stop Gravatar calls from the Umbraco backoffice.

Please Sign in or register to post replies

Write your reply to:

Draft