Page MenuHomeMiraheze
Create Task
Maniphest T7567

Enable Extension:EmbedSpotify on mediterraneanvision.miraheze.org (+CSP whitelist request for spotify)
Closed, ResolvedPublic
Actions

Description

Please enable Extension:EmbedSpotify on mediterraneanvision.miraheze.org

I have Spotify playlists that are associated with certain pages on my wiki

CSP REVIEW

  • Is the site equipped with a privacy policy? Yes
  • Does the site attempt to comply with the GDPR? Can European Union inhabitants invoke their individual rights? Yes, see PP
  • Does the site provide a list of personal data being collected by using the service? Yes, see PP
  • Is the website owner known to have a bad reputation regarding privacy? Not recently but there have been some concerns raised before
  • Can wikis use the external service, even if the visitor wants to deny any cookies or other form of tracking? Unclear
  • Will wikis stay usable, even if the visitor blocks the external resource by using an ad blocker? Yes, likely
  • Is there a Data Protection Officer and/or Privacy Team that can be contacted by Miraheze? Yes, can be contacted via privacy@spotify.com
  • Is the site equipped with a security policy? Yes, see PP
  • Does the site clarify their security measures to protect collected user data? Can the site assure measures are being taken to protect code injection into the loaded external resources? No details; general standard info
  • Is the website owner known to have a bad reputation regarding information security? Based on this article that could be said
  • Is there a Chief Information Security Officer and/or Security Team that can be contacted by Miraheze? Unclear, someone can probably be contacted via general support

Related Objects

Event Timeline

Aris_Odi created this task.Jun 30 2021, 13:43
Herald added subscribers: Bukkit, Unknown Object (User), RhinosF1 and 2 others. · View Herald TranscriptJun 30 2021, 13:43
Redmin claimed this task.Jun 30 2021, 14:33
Redmin edited projects, added Extensions; removed MediaWiki.
Herald added a project: Universal Omega. · View Herald TranscriptJun 30 2021, 14:33
Redmin moved this task from Backlog to Security Review Needed on the Extensions board.Jun 30 2021, 14:33
Redmin moved this task from Security Review Needed to Reviewed, Approved on the Extensions board.Jun 30 2021, 14:36
Redmin edited projects, added Site Reliability Engineering; removed MediaWiki (SRE).Jun 30 2021, 14:38

The extension itself is approved but this still needs Site Reliability Engineering to add Spotify to the CSP whitelist.

Redmin moved this task from Radar to Discussion on the Site Reliability Engineering board.Jun 30 2021, 14:38
Unknown Object (User) removed Redmin as the assignee of this task.Jun 30 2021, 17:10
Unknown Object (User) moved this task from Unsorted to Short Term on the Universal Omega board.
Unknown Object (User) moved this task from Reviewed, Approved to Actions Needed (Review) on the Extensions board.
Unknown Object (User) added a subscriber: Redmin.
Redmin added a comment.Jul 11 2021, 17:59

Bump. Disallowing Spotify when Google is allowed makes no sense, IMO; Spotify should be trusted enough even though they serve ads.

Reception123 added a comment.Aug 3 2021, 06:02

Currently all new CSP decisions are put on hold until a new policy is adopoted. This should happen soon.

Reception123 renamed this task from Enable Extension:EmbedSpotify on mediterraneanvision.miraheze.org to Enable Extension:EmbedSpotify on mediterraneanvision.miraheze.org (+CSP whitelist request for spotify).Aug 3 2021, 06:02
Reception123 removed a subscriber: Unknown Object (User).Aug 24 2021, 19:05
John updated the task description. (Show Details)Aug 28 2021, 18:47
John edited projects, added MediaWiki (SRE), CSP Review; removed Site Reliability Engineering.
Reception123 updated the task description. (Show Details)Sep 5 2021, 09:22

While there are some concerns regarding privacy and security these do seem to be limited to registered users from what I understand and would not concern other data. Spotify generally seems to comply with our checklist but it's probably best if T&S takes a closer look at the potential concerns.

Reception123 moved this task from SRE Review to T&S Review on the CSP Review board.Sep 5 2021, 09:24
Reception123 added a project: Trust & Safety.
Unknown Object (User) moved this task from Backlog to Short Term on the MediaWiki (SRE) board.Sep 5 2021, 17:14
Unknown Object (User) mentioned this in T7830: CSP Whitelist Additions for Extension:EmbedVideo Support (archive.org and soundcloud.org).Sep 5 2021, 17:28
Owen moved this task from T&S Review to DSRE Review on the CSP Review board.Sep 10 2021, 16:54
Owen subscribed.

Privacy concerns have been addressed over the years, particularly with more strict legislation limiting what information can be used for - this occurred 6 years ago. For the security side, resolution and investigation seems quick and thorough, no concerns were raised over the matter.

John moved this task from DSRE Review to Completed on the CSP Review board.Sep 11 2021, 10:00
John moved this task from Actions Needed (Review) to Reviewed, Approved on the Extensions board.
Restricted Repository Identity mentioned this in rPUPC23bfea406ed7: Add new CSP sites.Sep 11 2021, 10:20
Redmin claimed this task.Sep 11 2021, 19:05
Redmin updated the task description. (Show Details)
Restricted Repository Identity mentioned this in R9:56a1e0c67be9: Install EmbedSpotify (T7567) (#4098).Sep 18 2021, 03:15
Unknown Object (User) closed this task as Resolved.Sep 18 2021, 03:16

I have no merged the PRs. It will be available in Special:ManageWiki/extensions in a few minutes.