Page MenuHomeMiraheze
Create Task
Maniphest T5869

Whitelist postimages.org & imgbb.com (& their domains) for image display
Closed, ResolvedPublic
Actions

Description

Please whitelist postimages.org & imgbb.com which are image hosters.
Images can't be showed even if "Allow External Images" is checked in the wiki configuration because of your CSP which sites not on the whitelist will be denied access.

The following whitelist entries are required:
'postimages.org'
'*.postimages.org'
'postimgs.org'
'*.postimgs.org'
'postimg.cc'
'*.postimg.cc'
'imgbb.com'
'*.imgbb.com'
'simgbb.com'
'*.simgbb.com'
'ibb.co'
'*.ibb.co'

Sample image links:

CSP REVIEW: postimages.org

  • Is the site equipped with a privacy policy? Yes
  • Does the site attempt to comply with the GDPR? Can European Union inhabitants invoke their individual rights? No, however according to PP "PostImage does not require registration in order to upload images, so it does not record any email addresses if you are uploading anonymously (i.e. without signing in).
  • Does the site provide a list of personal data being collected by using the service? Yes, see PP
  • Is the website owner known to have a bad reputation regarding privacy? No
  • Can wikis use the external service, even if the visitor wants to deny any cookies or other form of tracking? Appears yes, "Some of the features that make your site experience more efficient, such as user account access, may not function properly. However, you will still be able to upload images anonymously."
  • Will wikis stay usable, even if the visitor blocks the external resource by using an ad blocker? Likely yes
  • Is there a Data Protection Officer and/or Privacy Team that can be contacted by Miraheze? Does not appear to be the case, general support would have to be contacted
  • Is the site equipped with a security policy? Yes, see PP
  • Does the site clarify their security measures to protect collected user data? Can the site assure measures are being taken to protect code injection into the loaded external resources? Yes, some details are given as to what security measures exist, see PP
  • Is the website owner known to have a bad reputation regarding information security? No
  • Is there a Chief Information Security Officer and/or Security Team that can be contacted by Miraheze? Does not appear to be the case, general support would have to be contacted

CSP REVIEW: imgbb.com

  • Is the site equipped with a privacy policy? Yes, albeit very short
  • Does the site attempt to comply with the GDPR? Can European Union inhabitants invoke their individual rights? No, claims that "We do not collect any personally identifiable data on people who view images"
  • Does the site provide a list of personal data being collected by using the service? Yes, says none
  • Is the website owner known to have a bad reputation regarding privacy? No
  • Can wikis use the external service, even if the visitor wants to deny any cookies or other form of tracking? Unsure, likely yes
  • Will wikis stay usable, even if the visitor blocks the external resource by using an ad blocker? Likely yes
  • Is there a Data Protection Officer and/or Privacy Team that can be contacted by Miraheze? No
  • Is the site equipped with a security policy? No
  • Does the site clarify their security measures to protect collected user data? Can the site assure measures are being taken to protect code injection into the loaded external resources? No
  • Is the website owner known to have a bad reputation regarding information security? No
  • Is there a Chief Information Security Officer and/or Security Team that can be contacted by Miraheze? No

Related Objects

Event Timeline

Revival created this task.Jul 4 2020, 13:00
Herald added a subscriber: RhinosF1. · View Herald TranscriptJul 4 2020, 13:00
Zppix added a project: Configuration.Jul 4 2020, 13:41
Herald added subscribers: Void, Reception123, NDKilla. · View Herald TranscriptJul 4 2020, 13:41
Zppix moved this task from Backlog to Blocked by security review on the Configuration board.Jul 4 2020, 13:41
Zppix subscribed.

Requesting security review.

Revival updated the task description. (Show Details)Jul 4 2020, 13:55
Reception123 triaged this task as Normal priority.Jul 4 2020, 14:36
Reception123 closed this task as a duplicate of T5614: Whitelist imgbox.com and googleusercontent.com so images can be shown.
Revival reopened this task as Open.Mar 28 2021, 14:50

It has not been resolved yet. Those two image hosting sites haven't been whitelisted.

They are popular image hosters which are within the top 5,000 sites according to Alexa.
https://www.alexa.com/siteinfo/postimg.cc #4,865 (owned by postimages.org)
https://www.alexa.com/siteinfo/ibb.co #2,075 (owned by imgbb.com)

The following whitelist entries are required:
'postimages.org'
'*.postimages.org'
'postimgs.org'
'*.postimgs.org'
'postimg.cc'
'*.postimg.cc'
'imgbb.com'
'*.imgbb.com'
'simgbb.com'
'*.simgbb.com'
'ibb.co'
'*.ibb.co'

Herald added projects: Universal Omega, MediaWiki (SRE). · View Herald TranscriptMar 28 2021, 14:50
Herald added subscribers: Redmin, Unknown Object (User). · View Herald Transcript
Unknown Object (User) added a comment.Mar 28 2021, 21:51

I don't think these will be added:

These just redirect to postimages.org:

'postimgs.org'
'*.postimgs.org'
'postimg.cc'
'*.postimg.cc'

These just redirect to imgbb.com:

'simgbb.com'
'*.simgbb.com'
'ibb.co'
'*.ibb.co'

As for these, what is the purpose you need both wildcard and root domain?

'postimages.org'
'*.postimages.org'
'imgbb.com'
'*.imgbb.com'
Unknown Object (User) moved this task from Backlog to Short Term on the MediaWiki (SRE) board.Mar 29 2021, 16:36
Unknown Object (User) moved this task from Unsorted to Short Term on the Universal Omega board.
Unknown Object (User) closed this task as Declined.Apr 1 2021, 05:26
Unknown Object (User) claimed this task.

No response. Please reopen task if still needed. Thanks!

Revival reopened this task as Open.EditedApr 19 2021, 12:02
In T5869#139660, @Universal_Omega wrote:

I don't think these will be added:

These just redirect to postimages.org:

'postimgs.org'
'*.postimgs.org'
'postimg.cc'
'*.postimg.cc'

These just redirect to imgbb.com:

'simgbb.com'
'*.simgbb.com'
'ibb.co'
'*.ibb.co'

So sorry for late reply. The other domains need to be whitelisted too because those sites will also put many images on their respective domains.

Sample image links of postimages.org
https://postimgs.org/img/plugins/smf2_1.png
https://i.postimg.cc/DzK54CMz/image.png

Sample image links of imgbb.com
https://simgbb.com/images/logo.png
https://i.ibb.co/s9QQXyH/image.png

As for these, what is the purpose you need both wildcard and root domain?

'postimages.org'
'*.postimages.org'
'imgbb.com'
'*.imgbb.com'

If you just whitelist the root domain, it won't work on their sub-domains. That's why you need to whitelist their sub-domains too.
FYI I explained why whitelisting subdomains is necessary in a previous comment.
https://phabricator.miraheze.org/T5614#121433

Herald added a subscriber: Joritochip. · View Herald TranscriptApr 19 2021, 12:02
Redmin edited projects, added Site Reliability Engineering, Puppet; removed MediaWiki (SRE), Configuration.Apr 19 2021, 18:35
Redmin moved this task from Radar to Discussion on the Site Reliability Engineering board.
Redmin unsubscribed.
Unknown Object (User) removed Unknown Object (User) as the assignee of this task.May 13 2021, 04:23
Unknown Object (User) removed a project: Universal Omega.May 14 2021, 21:39
Unknown Object (User) removed a project: Puppet.Jun 30 2021, 17:11
Revival added a comment.Aug 13 2021, 19:52

Sorry to ask, but when will they be added to the whitelist?

Both websites are popular sites which host images only. They are perfectly safe.

We have been waiting for 3 months and it is still unresolved. Many images are broken when their respective domains are not whitelisted. It is a big headache.

You simply need to add those lines to the whitelist file.

For postimages.org, those lines are required:

'postimages.org'
'*.postimages.org'
'postimgs.org'
'*.postimgs.org'
'postimg.cc'
'*.postimg.cc'

For imgbb.com, those lines are required:

'imgbb.com'
'*.imgbb.com'
'simgbb.com'
'*.simgbb.com'
'ibb.co'
'*.ibb.co'

Please kindly help us by adding those lines to the whitelist.

Thank you very much.

Unknown Object (User) added a comment.Aug 13 2021, 20:26

Currently all new CSP decisions were put on hold, so it is unknown when they will resume and when this can be done. Apologies for the inconvenience.

Reception123 removed a subscriber: Unknown Object (User).Aug 24 2021, 19:05
John updated the task description. (Show Details)Aug 28 2021, 18:48
John edited projects, added MediaWiki (SRE), CSP Review; removed Site Reliability Engineering.
Reception123 updated the task description. (Show Details)Sep 2 2021, 08:21
Reception123 added a comment.Sep 2 2021, 08:25

For imgbb.com: While it doesn't say much in its Privacy Policy my understanding is that it's similar to T7881 in the sense that it doesn't collect any sort of PII which means it's fine with GDPR. Therefore because of this I'd be inclined to approve but of course T&S should check and make sure this is okay.

For postimages.org : It's a bit unclear to me from the Privacy Policy whether any PII is recorded from this site but my understanding is that as another image uploading/sharing website that is not the case if you don't register. As with the first it's probably best that T&S double checks and makes sure that's okay but to me it would seem fine to approve if that's the case.

Reception123 moved this task from SRE Review to T&S Review on the CSP Review board.Sep 2 2021, 08:25
Reception123 added a project: Trust & Safety.
Owen moved this task from T&S Review to DSRE Review on the CSP Review board.Sep 2 2021, 14:25
Owen subscribed.

Reviewing both, there does not seem to be any real suggestion that they store information by default that is confined within GDPR. Anything collected as part of registration etc. falls outside of Miraheze's purview.

John subscribed.Sep 2 2021, 15:55

Moving this to 'Pending Addition' while we await proper CSP whitelisting by media/access type.

John moved this task from DSRE Review to Pending Addition on the CSP Review board.Sep 2 2021, 15:55
Restricted Repository Identity mentioned this in rPUPC0243060e778e: add imgbb.com & postimages.org to CSP whitelist T5869.Sep 5 2021, 16:54
Reception123 closed this task as Resolved.Sep 5 2021, 16:55
Reception123 claimed this task.

Both added to CSP

Restricted Repository Identity mentioned this in rPUPCf7eb933b399b: add imgbb.com & postimages.org to CSP whitelist T5869 (#1949).Sep 5 2021, 16:55
Reception123 moved this task from Pending Addition to Completed on the CSP Review board.Sep 5 2021, 16:55
Reception123 mentioned this in T7913: Review pixabay CSP Entry.Sep 6 2021, 06:56
Revival reopened this task as Open.Feb 10 2023, 20:01

There are still issues which prevent many images from showing.

Currently only their main domains are whitelisted:

'imgbb.com'
'postimages.org'

However those 2 sites use multiple (sub-)domains to store the images, more (sub-)domains have to be whitelisted.

Regarding imgbb.com, those additional lines are required:

'*.imgbb.com'
'simgbb.com'
'*.simgbb.com'
'ibb.co'
'*.ibb.co'

Regarding postimages.org, those additional lines are required:

'*.postimages.org'
'postimgs.org'
'*.postimgs.org'
'postimg.cc'
'*.postimg.cc'

Thank you.

Herald edited subscribers, added: BrandonWM, OrangeStar; removed: RhinosF1. · View Herald TranscriptFeb 10 2023, 20:01
Bukkit subscribed.EditedFeb 24 2023, 23:00
In T5869#210999, @Revival wrote:

There are still issues which prevent many images from showing.

Currently only their main domains are whitelisted:

'imgbb.com'
'postimages.org'

However those 2 sites use multiple (sub-)domains to store the images, more (sub-)domains have to be whitelisted.

Regarding imgbb.com, those additional lines are required:

'*.imgbb.com'
'simgbb.com'
'*.simgbb.com'
'ibb.co'
'*.ibb.co'

Regarding postimages.org, those additional lines are required:

'*.postimages.org'
'postimgs.org'
'*.postimgs.org'
'postimg.cc'
'*.postimg.cc'

Thank you.

Created PR

Bukkit added a project: Bukkit.Feb 25 2023, 23:41
Bukkit moved this task from Radar to Working On on the Bukkit board.
Reception123 closed this task as Resolved.Feb 27 2023, 20:32
Restricted Repository Identity mentioned this in rPUPC4c3e56f2a5a4: Add Imgur/PostImages Subdomains Per T5869 (#3158).Feb 27 2023, 20:32
Bukkit moved this task from Working On to Resolved on the Bukkit board.Feb 28 2023, 01:05