[openstreetmap/openstreetmap-website] gravatar / user image should only be available to authenticated users (#1631)
Simon Poole
notifications at github.com
Tue Jul 28 14:33:14 UTC 2020
The problem is that viewing
- the user page of an user that has gravatar enabled leaks finger printable information plus the information which user I was looking at to gravatar (regardless of if I'm logged in or not),
- my own user page if any of the friends or nearby users with edits (can't choose those) have gravatar enabled does the same (and naturally additionally it is at least theoretically possible to associate friends and nearby users with the fingerprint).
All the above is fine and dandy if I enabled gravatar on my account (assumption that the person knew what they were doing), not so for accounts that explicitly disabled gravatar for privacy reasons, and also not so for not logged in users.
As to displaying user names to not logged in users, I'm sure @woodpeck can comment on that.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/1631#issuecomment-665076552
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20200728/e29b670f/attachment.htm>
More information about the rails-dev
mailing list