Problem statement
When attempting to build a Content-Security-Policy (CSP) for an application, it was noticed that the Gravatar service often supplies the user image in Auth0. However, simply adding 'https://*.gravatar.com’; to the img-src in the policy does not appear to suffice because, at times, these icons are served from 'https://*.wp.com’;. After researching further, it appears that if no icon exists on Gravatar, there is a redirection to the following Auth0-related endpoint 'https://.wp.com/cdn.auth0.com/';.
Is there any Auth0 documentation to help understand how Auth0 and Gravatar interact to add icons for user profiles?
Solution
Auth0 automatically adds Gravatar URLs as the profile picture if there is no existing picture URL for the user. Since many users will not have Gravatar images, Auth0 embeds a fallback image URL in (cdn.auth0.com/*).
When Gravatar falls back to that image, it redirects to *.wp.com. This is actually an implementation detail of Gravatar and Auth0 cannot guarantee that this will not change in the future. Gravatar is owned by the same company as WordPress and they control both the *.gravatar.com and *.wp.com domains.
Adding the two domains (*.gravatar.com *.wp.com) to the Content Security Policy (CSP) should work, but this is not something Auth0 can officially guarantee to be future-proof, unfortunately.
Keep in mind that the above will only apply to Auth0 connection types such as database and passwordless only. If using a social or enterprise Identity Provider, they may send their own picture attributes which will be hosted in other domains.