Page MenuHomeMiraheze
Create Task
Maniphest T7830

CSP Whitelist Additions for Extension:EmbedVideo Support (archive.org and soundcloud.org)
Closed, ResolvedPublic
Actions

Description

From other CSP Whitelist request tasks, it seems CSP whitelist additions are on hold. However, I'm adding this to the queue for when additions are available again.

Currently Extension:EmbedVideo is not fully functional due to being blocked by the CSP for some of its services and features. These services should be whitelisted if Miraheze plans to support embedding all the services this extension provides.

  • Archive.org video embeds do not load. *.archive.org should be added to the CSP.
  • Soundcloud embeds do not load. *.soundcloud.com should be added to the CSP.
  • Vimeo preview images are not loading, although *.vimeo.com is on the whitelist. Video loads fine after clicking though.
  • Spotify embeds do not load. *.spotify.com should be added to the CSP.
  • YouTube preview images are not loading due to being loaded from the YouTube CDN. *.ytimg.com should be added to the CSP.

CSP REVIEW: archive.org

  • Is the site equipped with a privacy policy? Yes
  • Does the site attempt to comply with the GDPR? Can European Union inhabitants invoke their individual rights? GDPR is not specifically mentioned but it is possible to "see, update, or delete your information."
  • Does the site provide a list of personal data being collected by using the service? Yes, see PP
  • Is the website owner known to have a bad reputation regarding privacy? No
  • Can wikis use the external service, even if the visitor wants to deny any cookies or other form of tracking? Unclear
  • Will wikis stay usable, even if the visitor blocks the external resource by using an ad blocker? Yes
  • Is there a Data Protection Officer and/or Privacy Team that can be contacted by Miraheze? Only directed to info@archive.org
  • Is the site equipped with a security policy? No
  • Does the site clarify their security measures to protect collected user data? Can the site assure measures are being taken to protect code injection into the loaded external resources? No
  • Is the website owner known to have a bad reputation regarding information security? No
  • Is there a Chief Information Security Officer and/or Security Team that can be contacted by Miraheze? Unclear, same email should be contacted (info@archive.org)

CSP REVIEW: soundcloud.org

  • Is the site equipped with a privacy policy? Yes
  • Does the site attempt to comply with the GDPR? Can European Union inhabitants invoke their individual rights? GDPR not mentioned but similar rights are provided pursuant to the California law (CCPA): modify, access, delete
  • Does the site provide a list of personal data being collected by using the service? Yes, see PP
  • Is the website owner known to have a bad reputation regarding privacy? No
  • Can wikis use the external service, even if the visitor wants to deny any cookies or other form of tracking? Unsure
  • Will wikis stay usable, even if the visitor blocks the external resource by using an ad blocker? Yes
  • Is there a Data Protection Officer and/or Privacy Team that can be contacted by Miraheze? Yes, dataprotection@soundcloud.com
  • Is the site equipped with a security policy? Yes, see PP
  • Does the site clarify their security measures to protect collected user data? Can the site assure measures are being taken to protect code injection into the loaded external resources? No details; standard assurances
  • Is the website owner known to have a bad reputation regarding information security? No
  • Is there a Chief Information Security Officer and/or Security Team that can be contacted by Miraheze? Unclear, someone can probably be reached via general support

Related Objects

Event Timeline

Elaeagnifolia triaged this task as Normal priority.Aug 18 2021, 04:55
Elaeagnifolia created this task.
Herald added subscribers: Unknown Object (User), RhinosF1, Reception123. · View Herald TranscriptAug 18 2021, 04:55
Redmin moved this task from Radar to Discussion on the Site Reliability Engineering board.Aug 18 2021, 09:20
Reception123 removed a subscriber: Unknown Object (User).Aug 24 2021, 19:05
John edited projects, added MediaWiki (SRE), CSP Review; removed Site Reliability Engineering, Puppet.Aug 28 2021, 18:45
John updated the task description. (Show Details)
Unknown Object (User) added a comment.EditedSep 5 2021, 17:28
  • Spotify will be reviewed as part of T7567.
  • YouTube is already approved I believe, so ytimg.com Should already be okay to be added to the CSP.
  • player.vimeo.com is already on the whitelist (re-approved in T7908 as part of our new CSP whitelist policy), in media-src. It may need adding to another section in the CSP whitelist, besides just media-src to fix it.

That leaves a review required for just archive.org and soundcloud.com, which only specific subdomains should be whitelisted if possible, instead of wildcard (if they are approved)

Reception123 renamed this task from CSP Whitelist Additions for Extension:EmbedVideo Support to CSP Whitelist Additions for Extension:EmbedVideo Support (archive.org and soundcloud.org).Sep 6 2021, 13:48
Reception123 updated the task description. (Show Details)
Reception123 updated the task description. (Show Details)Sep 8 2021, 08:04

For archive.org: While the security side of things doesn't seem great I think due to the nature of the website it could be approved as long as it is limited to img-src and media-src only. Passing onto T&S for review and to double check if the GDPR part is satisfactory.

For soundcloud.com: Soundcloud seems to fulfil our checklist and should therefore be good to approve.

Reception123 moved this task from SRE Review to T&S Review on the CSP Review board.Sep 8 2021, 08:06
Reception123 added a project: Trust & Safety.
Owen moved this task from T&S Review to DSRE Review on the CSP Review board.Sep 9 2021, 12:00
Owen subscribed.

I agree with the assessment above. Specifically around GDPR, as long as the pillars of it are possible (the 7 rights in one form or another) it meets the requirements for UK DPA.

John closed this task as Resolved.Sep 11 2021, 10:19
John claimed this task.
John moved this task from DSRE Review to Completed on the CSP Review board.
Restricted Repository Identity mentioned this in rPUPC23bfea406ed7: Add new CSP sites.Sep 11 2021, 10:20