Page MenuHomeMiraheze
Create Task
Maniphest T7889

Review reviservices.com CSP Entry
Closed, ResolvedPublic
Actions

Description

CSP REVIEW

  • Is the site equipped with a privacy policy?
  • Does the site attempt to comply with the GDPR? Can European Union inhabitants invoke their individual rights?
  • Does the site provide a list of personal data being collected by using the service?
  • Is the website owner known to have a bad reputation regarding privacy?
  • Can wikis use the external service, even if the visitor wants to deny any cookies or other form of tracking?
  • Will wikis stay usable, even if the visitor blocks the external resource by using an ad blocker?
  • Is there a Data Protection Officer and/or Privacy Team that can be contacted by Miraheze?
  • Is the site equipped with a security policy?
  • Does the site clarify their security measures to protect collected user data? Can the site assure measures are being taken to protect code injection into the loaded external resources?
  • Is the website owner known to have a bad reputation regarding information security?
  • Is there a Chief Information Security Officer and/or Security Team that can be contacted by Miraheze?

Related Objects

Event Timeline

John triaged this task as Normal priority.Aug 28 2021, 19:31
John created this task.
Herald added a subscriber: RhinosF1. · View Herald TranscriptAug 28 2021, 19:31
Unknown Object (User) subscribed.Aug 29 2021, 21:27

As far as I can tell this is only here for js-wiki-cdn.reviservices.com so not sure why *.reviservices.com is whitelisted. But I can't find any initial task requesting this whitelisted either.

Unknown Object (User) added a subscriber: Reception123.Sep 1 2021, 06:01

I have updated the CSP (merged by @Reception123) to just use js-wiki-cdn.reviservices.com instead of the unnecessary wildcard.

revi subscribed.Sep 5 2021, 10:03

Also maybe *css*-wiki-cdn IIRC…

revi added a comment.Sep 5 2021, 10:13

Both urls are essentially GitHub Pages proxied thru Cloudflare.

For the record I do not attempt to comply w/ GDPR — only legislation that have any effect on me (and which I do comply) is Republic of Korea's Privacy Act. If someone invokes their rights protected under ROK Privacy Act, I'd be happy to comply but GDPR is not my law, despite whatever EU claims. Feel free to remove if this is unhappy to you.

Only data I (maybe) collect is User-Agent collected via Cloudflare (but I can turn it off anyway)

Reception123 added a comment.Sep 5 2021, 14:26

If it's Cloudflare and GitHub I think their Privacy Policy should apply anyway

RhinosF1 moved this task from Backlog to Short Term on the MediaWiki (SRE) board.Oct 26 2021, 22:19
Reception123 added a comment.Jan 19 2022, 15:21

@revi If you don't mind turning off UA collection that would be great and avoid any need for the checklist/GDPR.

revi added a comment.Jan 27 2022, 22:02

It looks like Cloudflare won't let anyone do that.

For the record: I now have published some sort of general-purpose privacy policy (https://revi.kr/privacy - only in Korean at this moment), and note that I am service provider based out of EU, provide service to customers outside the EU, and does not specifically target my service at individuals in EU, thus not subject to GDPR.

Reception123 added a comment.Jan 31 2022, 08:48

Cloudflare is approved in T7903; GitHub is pending approval here T8003.

Based on the limited scope for this and the fact that Revi is a trusted user and the data collected is minimal, I would recommend approval. Passing onto T&S.

Reception123 moved this task from SRE Review to T&S Review on the CSP Review board.Jan 31 2022, 08:48
Reception123 added a project: Trust & Safety.
revi added a comment.Feb 1 2022, 00:23

If this is approved, can you change the CSP domain to wiki-assets.sumin.wiki which I purchased to disable Cloudflare logging if it was technically feasible? Thanks!

Owen subscribed.Feb 2 2022, 16:27

Routed via Cloudflare and GitHub, this is fine.

With regards to the general purpose privacy policy, thankfully it does not apply here as services are entirely external, but if it did, the lack of commitment to GDPR would mean this would have been rejected.

Owen moved this task from T&S Review to DSRE Review on the CSP Review board.Feb 2 2022, 16:27
John closed this task as Resolved.Feb 6 2022, 13:48
John claimed this task.
John moved this task from DSRE Review to Completed on the CSP Review board.
Restricted Repository Identity mentioned this in rPUPCf0391e66b972: T7889: Change CSP source for reviwiki.Feb 6 2022, 13:48