Page MenuHomeMiraheze
Create Task
Maniphest T7899

Review shields.io CSP Entry
Closed, DeclinedPublic
Actions

Description

CSP REVIEW
Note: Shields.io is hosted with GitHub (see their repo here: https://github.com/badges/shields) and therefore it appears that GitHub is the only one that would collect any sort of data. The review below will therefore be of GitHub.

  • Is the site equipped with a privacy policy? Yes
  • Does the site attempt to comply with the GDPR? Can European Union inhabitants invoke their individual rights? Yes, see PP
  • Does the site provide a list of personal data being collected by using the service? Yes, see PP
  • Is the website owner known to have a bad reputation regarding privacy? No
  • Can wikis use the external service, even if the visitor wants to deny any cookies or other form of tracking? Yes
  • Will wikis stay usable, even if the visitor blocks the external resource by using an ad blocker? Yes
  • Is there a Data Protection Officer and/or Privacy Team that can be contacted by Miraheze? Yes, privacy@github.com
  • Is the site equipped with a security policy? Yes, see PP
  • Does the site clarify their security measures to protect collected user data? Can the site assure measures are being taken to protect code injection into the loaded external resources? Yes, some details are provided
  • Is the website owner known to have a bad reputation regarding information security? No
  • Is there a Chief Information Security Officer and/or Security Team that can be contacted by Miraheze? Yes

Related Objects

Event Timeline

John triaged this task as Normal priority.Aug 28 2021, 19:36
John created this task.
Herald added a subscriber: RhinosF1. · View Herald TranscriptAug 28 2021, 19:36
Reception123 updated the task description. (Show Details)Sep 5 2021, 09:56
Herald added a subscriber: Unknown Object (User). · View Herald TranscriptSep 5 2021, 09:56
Reception123 subscribed.Sep 5 2021, 09:57

GitHub's privacy policy covers all of our checklist and therefore would be approved. As far as I can see with shields.io there isn't any additional collection of information beyond what GitHub collects and "No tracking" is mentioned.

Reception123 moved this task from SRE Review to T&S Review on the CSP Review board.Sep 5 2021, 09:58
Reception123 added a project: Trust & Safety.
Redmin subscribed.Sep 5 2021, 18:35
In T7899#160892, @Reception123 wrote:

GitHub's privacy policy covers all of our checklist and therefore would be approved. As far as I can see with shields.io there isn't any additional collection of information beyond what GitHub collects and "No tracking" is mentioned.

I do not think that is correct. Shields.io does not seem to be hosted by GH Pages which only allows static sites, AFAIK. See https://github.com/badges/shields/blob/master/doc/self-hosting.md which implies you need a server. Also, badges.github.io/shields redirects to https://contributing.shields.io and shields.io does not include the X-GitHub-Request-Id header.

Reception123 added a comment.EditedSep 5 2021, 18:39
In T7899#160970, @Redmin wrote:
In T7899#160892, @Reception123 wrote:

GitHub's privacy policy covers all of our checklist and therefore would be approved. As far as I can see with shields.io there isn't any additional collection of information beyond what GitHub collects and "No tracking" is mentioned.

I do not think that is correct. Shields.io does not seem to be hosted by GH Pages which only allows static sites, AFAIK. See https://github.com/badges/shields/blob/master/doc/self-hosting.md which implies you need a server. Also, badges.github.io/shields redirects to https://contributing.shields.io and shields.io does not include the X-GitHub-Request-Id header.

I see, that is quite confusing, it seemed like a static site hosted by GH pages. Thanks for bringing this to my attention, I'll look further into it.

Reception123 mentioned this in T8003: Review scratchblocks.github.io CSP entry.Sep 8 2021, 08:14
Owen moved this task from T&S Review to SRE Review on the CSP Review board.Sep 9 2021, 12:09
Owen subscribed.

-> SRE based on the above.

Owen moved this task from Backlog to External on the Trust & Safety board.Sep 20 2021, 16:40
RhinosF1 moved this task from Backlog to Short Term on the MediaWiki (SRE) board.Oct 26 2021, 22:19
Reception123 added a comment.Jan 19 2022, 11:47
In T7899#160971, @Reception123 wrote:
In T7899#160970, @Redmin wrote:
In T7899#160892, @Reception123 wrote:

GitHub's privacy policy covers all of our checklist and therefore would be approved. As far as I can see with shields.io there isn't any additional collection of information beyond what GitHub collects and "No tracking" is mentioned.

I do not think that is correct. Shields.io does not seem to be hosted by GH Pages which only allows static sites, AFAIK. See https://github.com/badges/shields/blob/master/doc/self-hosting.md which implies you need a server. Also, badges.github.io/shields redirects to https://contributing.shields.io and shields.io does not include the X-GitHub-Request-Id header.

I see, that is quite confusing, it seemed like a static site hosted by GH pages. Thanks for bringing this to my attention, I'll look further into it.

@John Thoughts on this? I'm not sure how to proceed.

Reception123 closed this task as Declined.Jan 21 2022, 09:30
Reception123 claimed this task.

No response has been received from the owners/maintainers of shields.io. In addition the original wiki which requested whitelisting is inactive. Therefore, for now this will be declined and the CSP entry will be removed.

If the owners/maintainers respond regarding the collection of data this may be reopened/reviewed if there is still a use case.

Restricted Repository Identity mentioned this in rPUPC73e7c630cb8a: rm img.shields.io from CSP whitelist (per T7899).Jan 21 2022, 09:31