CUNY Academic Commons

I'm sitting at a GC computer and I know the problem, but not the solution.

On GC computers, IE is set to treat any site with URL http://*.gc.cuny.edu as a "trusted site". One of the settings related to "trusted sites" on the GC's default install of IE is that it prompts the user when "websites in less privileged web content zones" attempt to "navigate into this zone". I take it that what's happening is that when the Commons requests a gravatar from http://gravatar.com but none is found, there is some sort of redirect happening that is triggering the prompt.

It's a problem that will only arise on GC computers, most likely.

The only way I can think of to fix it is to turn off gravatar.

Wow. Thanks for your work on this, Boone.

Andre, is there any remote chance that we can get gravatar.com added to an IE whitelist?

Interesting. I too was able to replicate the error on IE. Here's my take on it, and mind you I'm not a desktop admin for GC so really have nothing to do with this.

Seems like an untrusted site (gravatar) is trying to access or open a resource on a trusted site (commons). How is gravatar trying to call a commons resource? I've no idea.

In this case I think the easiest solution would be to add gravatar.com to GC's list of trusted sites. Does that make sense to you all?

Alternatively, we can look deeper into the sequence here and try to understand exactly how/why gravatar is calling Commons' resources. I guess it's probably something to do with authentication, like checking to see if the Commons is a legit customer or something. How does this sound?

Matt Gold wrote:

Wow. Thanks for your work on this, Boone.

Andre, is there any remote chance that we can get gravatar.com added to an IE whitelist?

Not my domain. I have nothing to do with GC's desktop configurations, specially not Windows stuff.
But I can definitely try and help facilitate this.

If you can give it a shot, Andre, I would really appreciate it. Don't worry about pushing it if you hit resistance.

If we can't get it whitelisted, we have two options: remove gravatar and receive complaints from people who have lost their avatars, or keep it and get complaints from people who can't access the site w/in the GC.

Given the lay of the land and the characteristics of our members -- many more people probably use IE than gravatar -- i'd say that we should disable gravatar if we can't get it whitelisted.

Matt Gold wrote:

If you can give it a shot, Andre, I would really appreciate it. Don't worry about pushing it if you hit resistance.

If we can't get it whitelisted, we have two options: remove gravatar and receive complaints from people who have lost their avatars, or keep it and get complaints from people who can't access the site w/in the GC.

Given the lay of the land and the characteristics of our members -- many more people probably use IE than gravatar -- i'd say that we should disable gravatar if we can't get it whitelisted.

No problem, I'll follow up on this.
But while I super appreciate your flexibility here, I'd say let's try and avoid disabling gravatars at any cost...

I'll strongly push for adding it to the "trusted sites" list, but if that doesn't work for any reason, or just takes too long (more likely), perhaps we can examine the entire flow of requests and try and fine-tune it if possible?

I agree that disabling Gravatar is not a very good solution. I'll look through to see if I can detect why Gravatar is being weird. It only appears to happen for users who don't have a gravatar, so maybe there's an application-level hack I can do to stop this from happening.

Believe me, guys, I'd like to avoid disabling gravatar, too. Thanks to both of you for your efforts here.

OK, here's the deal.

BuddyPress constructs Gravatar URLs that looks like this:
http://www.gravatar.com/avatar/8a097f4ac174895d79d8e0adab7cb1c1?d=http://commons.gc.cuny.edu/path-to-default-gravatar&s=50

The long alphanumeric string is a hash of the user's email address. The s=50 at the end is a size variable. The d= in the middle defines a default image to be used in case the user doesn't have a Gravatar. In cases where users have a gravatar, the image is served from gravatar.com as a normal remote image. But when a user does not have one (this is the weird and annoying part), gravatar requests the default image (which, in our case, is hosted in the commons.gc.cuny.edu BuddyPress directory) and acts as a proxy. So the "mystery man" image that is our normal default is stored on our server, grabbed by Gravatar, and served back to us before being served to the end user. I think the system is intended to be flexible, but it ends up being kind of stupid.

There's no great way to circumvent it. Here are a few options:
1) Don't specify a default. Then Gravatar will use its own default, which means it's not making a request of the Commons server. That's what I've done right now: at the beginning of bp-nelo/functions.php I added a filter that greps out the 'd' query arg. That's why you see a blue gravatar logo default right now. I am not at the GC, and I don't have a working copy of windows to test on, but I assume that right now the problem has been solved. Downside: we have to use the blue gravatar default, which is maybe not quite as nice as the mystery man.
2) Turn off Gravatar altogether. I did this for a second just to get a sense of how many people are using it - and the answer is that a lot of people are using it. I'm guessing 20-30% of our users. Bad option.
3) Try hosting the default image somewhere other than *.commons.gc.cuny.edu, which in theory would prevent the problem of a non-trusted site querying a trusted site during the trusted site load. The downside of this is that it's just plain weird to have to store something on a remote server for this sort of stupid reason.

Thoughts?

(BTW I am not going to be around to troubleshoot this problem anymore starting tomorrow. If you want to turn off the filter that is causing the blue image to load, go to bp-nelo/functions.php and comment out the add_filter stuff on line 11.)

Of all the possible solutions available to us right now, i think you chose the most elegant and least disruptive one. If it motivates people who haven't chosen an avatar (or a gravatar) to get one, so much the better. But at least people won't lose their avatars and others won't be hassled as they visit the site.

When you come back, maybe you could work on this again, but for the next month, i think this is great. Again, thanks so much for your great work here.

Preview
Boone Gorges wrote:

Thoughts?

Really funny and interesting issue! Who said IE wasn't secure heh ;-)

Not sure what the desktop admins' philosophy is on adding sites to the trusted list but it seems workable to me, unless I'm missing some angle. Gravatar.com is a pretty reputable service so I don't see the big harm. Looking forward to consulting my colleagues on this...

Tested the filter work-around and worked for me, although I was running IE via Citrix XenApps which itself can be weird! Will re-test on Monday.

What's the status of this issue?

André, have you had a chance to talk to the GC desktop folks about having us added to the trusted sites list?

Or, alternatively, has everyone adjusted to seeing the blue Gravatar logo throughout the Commons? Can we accept this as a resolution for the issue?

Or, alternatively, has everyone adjusted to seeing the blue Gravatar logo throughout the Commons? Can we accept this as a resolution for the issue?

If possible, it would be great to reserve that as an alternative only if we're unable to adjust the trusted sites list.. . . .André, please let us know what you think when you can.

Boone Gorges wrote:

André, have you had a chance to talk to the GC desktop folks about having us added to the trusted sites list?

Haven't had a chance to address this yet. Upon reflection it seems to me like we'd have better flow addressing this issue from a GC user's perspective rather than a Commons dev's as I proposed earlier. If a GC user finds this annoying he/she can always create a ticket for that, and I'll advocate based on a user's request rather than from my position as a Commons dev.

Hi André,

Well, this ticket is the result of two GC grad students running into this problem and complaining about it (they were both members of the ITP class I was co-teaching with Steve). If you need their names, I can give them to you, but I'm not sure that's necessary -- we should be able to advocate for them based on the original complaint.

it's true that we've found a workaround to partially address the original complaint, but it's one that leaves our team unsatisfied.

It sounds like you feel a little uncomfortable bringing this up; would it be better if George or I brought it up ourselves?

Best,

Matt

I've also had complaints from people at SPS who work at the Grad Center. I could generate a ticket with the Helpdesk tomorrow if that would be helpful. Would you mind if I posted an update to the group suggesting that members use FireFox? If you guys would prefer this information not be public I could send each member a private message instead of posting an update.

Best,

Sarah

Hi Sarah,

How recent are the complaints you're referring to? And what were they, exactly? Our workaround should have prevented the previous problem from coming up again.

Generally, I prefer not to tell people what browsers they should use -- that reeks of 1996 websites that had banners in their footers saying "Best viewed with Netscape 2.6".... If people bring it up to you as a problem, then I'd say that you should recommend firefox, but a large-scale announcement is probably not necessary.

Again, please let us know what complaints you've been hearing. And if they're different than what's above, please start a new ticket. Thanks!

Matt

No worries, I won't post an update. The complaints were actually from about a month ago. I've been using Firefox because of Sharepoint compatibility issues so I will check the site tomorrow with IE and if that warning comes up then I'll generate a ticket.

Best,

Sarah

André, when you have a chance, can you address my questions in comment 17 above? What path would you advise us to take in order to make some progress here?

Matt Gold wrote:

André, when you have a chance, can you address my questions in comment 17 above? What path would you advise us to take in order to make some progress here?

Given that it isn't really a server-side issue, I advise for filing a support ticket with GC's help-desk. Sarah's offer is most helpful.

Turn the custom default avatar back on and take it from there.

Okay -- thanks, André.

Sarah, would you be willing to submit that ticket as a user of the Commons? It would be great if you could tell them that you brought the problem to our attention, and we made a temporary fix, but that we told you that the problem remains and that they should check in with me at my GC address ( mgold AT gc dot cuny dot edu )

I make this suggestion because I'd prefer not to turn the custom default avatar back on until the GC is ready to troubleshoot the problem.

Bumping this. Has anyone talked to the GC help desk?