It's to prevent exposing the email addresses to harvesting. If the raw email addresses were used in the avatar URL, it would be a simple task for spammers to harvest those email addresses for their nefarious purposes by scraping the HTML/DOM of any forum using Gravatar.
Why does Gravatar require you to hash the email?
题
I don't have a technical background, so I'm presuming there's a simple answer for this:
Why does Gravatar require you to create a hash of an email address before sending a request to their system? Is there a technical (or social) reason not to just use the email address?
解决方案
其他提示
There are two reasons.
Reason 1:
When you make a call to gravatar, the url looks like this:
https://www.gravatar.com/avatar/37dj383ks?params=blah
This means, on, say, a blog or internet forum, as a guest or signed-in user reading comments where gravatar images are used, the html source code would look like this:
<img src='https://www.gravatar.com/avatar/37dj383ks?params=blah'>
If they weren't hashed, your website's public HTML source code would look like:
<img src='https://www.gravatar.com/avatar/ bob_smith@example.com ?params=blah'>
<img src='https://www.gravatar.com/avatar/ susan_suzanna@example.com ?params=blah'>
<img src='https://www.gravatar.com/avatar/ jason123@example.com ?params=blah'>
<img src='https://www.gravatar.com/avatar/ francisbakery@example.com ?params=blah'>
Any website that'd be using gravatar, would automatically be leaking publically every single one of their own users' email addresses.
Reason 2:
The second reason is, any website that'd be using gravatar, would automatically be leaking to gravatar their users' email addresses.
If I sign up at a website, say, Stack Overflow, and I give Stack Overflow my email address, I don't want Stack Overflow to send my personal email address to other companies like Gravatar.
But if I have already given Gravatar my email address and set up a profile picture, then the hash of my email is a shared hash that both Gravatar and Stack Overflow know. Stack Overflow doesn't have to trust Gravatar. Gravatar doesn't have to trust Stack Overflow. But by simply providing the one-way hash of the email, neither has to actually hand out any of their users' sensitive information.