UI compromises DIN EN ISO/IEC 27001 by trying to fetch images from gravatar.com

[s-seitz]

ISSUE TYPE

• Improvement Request

COMPONENT NAME

UI

CLOUDSTACK VERSION

4.16

CONFIGURATION

any

OS / ENVIRONMENT

any

SUMMARY

The UI tries to get a gravatar Image for each username in listUsers, which potentially compromises the audit trail of CS Installations in DIN EN ISO/IEC 27001-required environments.

STEPS TO REPRODUCE

Login into CS, and follow the requests, using the built-in Web-Developer-Tools of Firefox or Chrome.

EXPECTED RESULTS

No request to any external ressource.

ACTUAL RESULTS

The current CS UI tries to fetch an image from gravatar.com and compromises a private Infrastructure by exposing referrer and email-address of any listUser.

[DaanHoogland]

seems like a legitimate request to even include in 4.16.1 (@sureshanaparti ?) I think we can make the gravatar pull dependend on a global setting.

[utchoang]

@shwstppr @sureshanaparti cc @davidjumani Currently, I see these avatar objects just get and not used anywhere. So how do you think about removing it?

[sureshanaparti]

@shwstppr @sureshanaparti cc @davidjumani Currently, I see these avatar objects just get and not used anywhere. So how do you think about removing it?

@utchoang If these objects are unused, better to remove them (If needed later, can be added at later point of time). Any thoughts / comments @shwstppr @davidjumani @DaanHoogland @GabrielBrascher @rhtyd

[DaanHoogland]

@shwstppr @sureshanaparti cc @davidjumani Currently, I see these avatar objects just get and not used anywhere. So how do you think about removing it?

@utchoang If these objects are unused, better to remove them (If needed later, can be added at later point of time). Any thoughts / comments @shwstppr @davidjumani @DaanHoogland @GabrielBrascher @rhtyd

If we add them later we abviously would have to guard that with a global setting. Not sure if that has UI repercusions.

[sureshanaparti]

I think, global setting to keep these is not the right way.

[yadvr]

The gravataar based image was something I had added without thinking this through, now that we've resource icons feature this can be removed. cc @sureshanaparti @DaanHoogland

[sureshanaparti]

thanks for fixing this @utchoang