Page MenuHomeMiraheze
Create Task
Maniphest T7895

Review Amazon AWS CSP Entry
Closed, DeclinedPublic
Actions

Description

CSP REVIEW

  • Is the site equipped with a privacy policy? Yes
  • Does the site attempt to comply with the GDPR? Can European Union inhabitants invoke their individual rights? Yes, see PP and GDPR page
  • Does the site provide a list of personal data being collected by using the service? Yes, see PP
  • Is the website owner known to have a bad reputation regarding privacy? Np
  • Can wikis use the external service, even if the visitor wants to deny any cookies or other form of tracking? Unsure
  • Will wikis stay usable, even if the visitor blocks the external resource by using an ad blocker? Likely?
  • Is there a Data Protection Officer and/or Privacy Team that can be contacted by Miraheze? Can't find any particular contact info, would have to be done via general support
  • Is the site equipped with a security policy? Yes, see PP
  • Does the site clarify their security measures to protect collected user data? Can the site assure measures are being taken to protect code injection into the loaded external resources? Yes, it seems so
  • Is the website owner known to have a bad reputation regarding information security? Not particularly, but one article raises some concerns
  • Is there a Chief Information Security Officer and/or Security Team that can be contacted by Miraheze? Couldn't find any specific info, would have to be done via general support

Related Objects

Event Timeline

John triaged this task as Normal priority.Aug 28 2021, 19:34
John created this task.
Herald added a subscriber: RhinosF1. · View Herald TranscriptAug 28 2021, 19:34
Reception123 updated the task description. (Show Details)Aug 31 2021, 09:07
Herald added a subscriber: Unknown Object (User). · View Herald TranscriptAug 31 2021, 09:07
Reception123 updated the task description. (Show Details)Aug 31 2021, 09:07
Reception123 subscribed.

Everything seems largely fine with Amazon AWS so I'd be inclined to approve. Passing onto T&S for review.

Reception123 moved this task from SRE Review to T&S Review on the CSP Review board.Aug 31 2021, 09:08
Reception123 added a project: Trust & Safety.
Owen moved this task from T&S Review to SRE Review on the CSP Review board.Aug 31 2021, 13:47
Owen subscribed.

As the title suggests AWS, what are the security measures in place to limit loading to what is intended? My concern is anyone can theoretically upload content to AWS and then execute JS scripts locally or remotely and store the relevant information.

Seems added in T4423 with not a lot of details. @Reception123 can you provide more information on this please, namely the scope of who can upload media and what steps are taken to restrict the type of media able to be accessed/imported?

Reception123 closed this task as Declined.Sep 5 2021, 16:59
Reception123 claimed this task.

I've not been able to identify a use case for AWS and therefore I will be removing it from the CSP whitelist for the time being. If a need is identified after this removal this task can be reopened and we can get more insight into the scope of having AWS whitelisted.

Restricted Repository Identity mentioned this in rPUPC8a1991030ba3: remove Amazon AWS from CSP whitelist T7895.Sep 5 2021, 16:59
Reception123 mentioned this in T8003: Review scratchblocks.github.io CSP entry.Jan 21 2022, 09:27