Avatar requires permission for external images from wp.com

I am using <Avatar> from Atlaskit in my Forge Custom UI app.

I noticed, that some avatar images are not loaded properly.

This is the case, if the avatar of the user is not an image, but contains initials in a certain color. It actually should look like this.

In the JavaScript console log you see the following.

Refused to load the image 'https://i1.wp.com/avatar-management--avatars.us-west-2.prod.public.atl-paas.net/initials/N-6.png?ssl=1' 
because it violates the following Content Security Policy directive: 
"img-src 'self' data: blob: https://secure.gravatar.com https://avatar-management--avatars.us-west-2.prod.public.atl-paas.net https://api.atlassian.com"

I added *.wp.com to manifest so that these avatars are properly loaded and the error message disappears.

  external:
    images:
      - '*.wp.com'

Is this really true? Surprised that I need to add this external, because it looks like it is Atlassian’s standard infrastructure for avatars. Or is this maybe a bug in Forge?

P.S. Surprised to see Atlassian is using wp.com, which seams to belong to WordPress?

Yes this is true.

The third party domains we use are documented here.

If you’re interested in following this we have a ticket you may want to watch.

I still don’t get why Gravatar support is enabled by default in Jira. It’s a data privacy issue that is enabled by default because Gravatar matches mail addresses.

Thanks for confirming the current issue resp. behavior and workaround.

With the current workaround adding these URL to the manifest, it looks for customers, that the addon is using wp.com and gravatar.com and they wonder what the addon is doing here.

My point is, this should not be the responsibility of the Forge addon to add permission for these external URLs, but it should be Atlassian adding this to their list of trusted URLs because it is part of Atlassian core functionality for avatars.