Page MenuHomeMiraheze
Create Task
Maniphest T10226

Add Scryfall to CSP whitelist
Open, NormalPublic
Actions

Description

I plan to use the card images hosted on Scryfall in my wiki to provide a visual reference in addition to the card text provided by their API.

  • Is the site equipped with a privacy policy? Yes
  • Does the site attempt to comply with the GDPR? Can European Union inhabitants invoke their individual rights? Yes, see above
  • Does the site provide a list of personal data being collected by using the service? Yes, see "Analytics Data" in page linked above
  • Is the website owner known to have a bad reputation regarding privacy? No
  • Can wikis use the external service, even if the visitor wants to deny any cookies or other form of tracking? Yes
  • Will wikis stay usable, even if the visitor blocks the external resource by using an ad blocker? Yes
  • Is there a Data Protection Officer and/or Privacy Team that can be contacted by Miraheze? Company is very small, so it seems like they don't have a dedicated person/team for that. Their general support can be contacted here
  • Is the site equipped with a security policy? There is a brief section about security in their Privacy Policy
  • Does the site clarify their security measures to protect collected user data? Can the site assure measures are being taken to protect code injection into the loaded external resources? The site is hosted on Heroku, and is subject to their security practices
  • Is the website owner known to have a bad reputation regarding information security? No
  • Is there a Chief Information Security Officer and/or Security Team that can be contacted by Miraheze? No specific person/team for this, but support can be contacted.

Event Timeline

Artillect created this task.Jan 1 2023, 00:31
Herald added a project: MediaWiki (SRE). · View Herald TranscriptJan 1 2023, 00:31
Herald added subscribers: OrangeStar, Agent_Isai, Universal_Omega. · View Herald Transcript
Artillect updated the task description. (Show Details)Jan 1 2023, 00:33
Artillect updated the task description. (Show Details)
Artillect updated the task description. (Show Details)Jan 1 2023, 06:16
Reception123 triaged this task as Normal priority.Jan 1 2023, 13:59
Reception123 added a subscriber: Reception123.Tue, Jan 10, 18:01

Regarding GDPR compliance, I don't see any explicit mentions of it. Yes you can delete your data but there still doesn't seem to be any clear compliance with the GDPR or any similar laws since it is a US based company.

Artillect added a comment.Thu, Jan 12, 07:24

Ah, you're right. Since the website's data is hosted through Heroku Postgres, which does have a commitment to GDPR compliance, I assume they would comply with the GDPR, but I understand if the lack of an explicit mention of it is an issue. What do you suggest I should do here? Should I contact them and ask about GDPR compliance?

Reception123 added a comment.Thu, Jan 12, 13:04
In T10226#207119, @Artillect wrote:

Ah, you're right. Since the website's data is hosted through Heroku Postgres, which does have a commitment to GDPR compliance, I assume they would comply with the GDPR, but I understand if the lack of an explicit mention of it is an issue. What do you suggest I should do here? Should I contact them and ask about GDPR compliance?

Contacting them would probably be a good idea. As long as there is GDPR compliance I'd be fine with approving on my end and letting Trust & Safety review.

Reception123 added a comment.Thu, Jan 19, 13:23

Any luck yet?

OrangeStar added a comment.Fri, Jan 27, 12:58

@Reception123 I can contact them myself if you want.