Page MenuHomeMiraheze

Review CSP Entry
Open, NormalPublic



  • Is the site equipped with a privacy policy?
  • Does the site attempt to comply with the GDPR? Can European Union inhabitants invoke their individual rights?
  • Does the site provide a list of personal data being collected by using the service?
  • Is the website owner known to have a bad reputation regarding privacy?
  • Can wikis use the external service, even if the visitor wants to deny any cookies or other form of tracking?
  • Will wikis stay usable, even if the visitor blocks the external resource by using an ad blocker?
  • Is there a Data Protection Officer and/or Privacy Team that can be contacted by Miraheze?
  • Is the site equipped with a security policy?
  • Does the site clarify their security measures to protect collected user data? Can the site assure measures are being taken to protect code injection into the loaded external resources?
  • Is the website owner known to have a bad reputation regarding information security?
  • Is there a Chief Information Security Officer and/or Security Team that can be contacted by Miraheze?

Event Timeline

John triaged this task as Normal priority.Aug 28 2021, 19:31
John created this task.

As far as I can tell this is only here for so not sure why * is whitelisted. But I can't find any initial task requesting this whitelisted either.

I have updated the CSP (merged by @Reception123) to just use instead of the unnecessary wildcard.

Also maybe *css*-wiki-cdn IIRC…

Both urls are essentially GitHub Pages proxied thru Cloudflare.

For the record I do not attempt to comply w/ GDPR — only legislation that have any effect on me (and which I do comply) is Republic of Korea's Privacy Act. If someone invokes their rights protected under ROK Privacy Act, I'd be happy to comply but GDPR is not my law, despite whatever EU claims. Feel free to remove if this is unhappy to you.

Only data I (maybe) collect is User-Agent collected via Cloudflare (but I can turn it off anyway)

If it's Cloudflare and GitHub I think their Privacy Policy should apply anyway