Comments: Custom avatar on non ssl site shows mixed content error

[sandymcfadden]

What I expected

I expected that a custom avatar image being loaded over http instead of https would be copied to then served from an https wp.com address, probably via Photon

What happened instead

When you visit a page with comments enabled and it tries to show the default avatar you get Mixed Content errors. An example would be:

Mixed Content: The page at 'https://jetpack.wordpress.com/jetpack-comment/?blogid=78781809&postid=1748&…94c2b12#parent=http%3A%2F%2Fwp.sandym.ca%2F2016%2F02%2Fjp-comments-test%2F' was loaded over HTTPS, but requested an insecure image 'http://wp.sandym.ca/wp-content/plugins/sandys-plugin//new-avatar.png'. This content should also be served over HTTPS.

Steps to reproduce the issue

• Add code similar to this to add a custom avatar if (!function_exists('custom_avatar')) { function custom_avatar($avatar_defaults){ $new_default_icon = plugin_dir_url( __FILE__ ) . 'new-avatar.png'; $avatar_defaults[$new_default_icon] = 'custom avatar'; return $avatar_defaults; } add_filter('avatar_defaults','custom_avatar'); }
• In WP Admin go to Settings > Discussion and set the default avatar to be the custom one added.
• Visit a page using the Jetpack Comments module and view the console for error.

Seems this is being done around here: higherlander-comments.php lines 420ff

[jeherve]

This can be reproduced when installing a plugin like Wapuuvatar: https://wordpress.org/plugins/wapuuvatar/

[kraftbj]

Probably could just run the image through Photon to SSL-ize it.

[stale[bot]]

This issue has been marked as stale. This happened because:

• It has been inactive in the past 6 months.
• It hasn’t been labeled `[Pri] Blocker`, `[Pri] High`.

No further action is needed. But it's worth checking if this ticket has clear reproduction steps and it is still reproducible. Feel free to close this issue if you think it's not valid anymore — if you do, please add a brief explanation.