Page MenuHomeMiraheze

Review shields.io CSP Entry
Open, NormalPublic

Description


CSP REVIEW
Note: Shields.io is hosted with GitHub (see their repo here: https://github.com/badges/shields) and therefore it appears that GitHub is the only one that would collect any sort of data. The review below will therefore be of GitHub.

  • Is the site equipped with a privacy policy? Yes
  • Does the site attempt to comply with the GDPR? Can European Union inhabitants invoke their individual rights? Yes, see PP
  • Does the site provide a list of personal data being collected by using the service? Yes, see PP
  • Is the website owner known to have a bad reputation regarding privacy? No
  • Can wikis use the external service, even if the visitor wants to deny any cookies or other form of tracking? Yes
  • Will wikis stay usable, even if the visitor blocks the external resource by using an ad blocker? Yes
  • Is there a Data Protection Officer and/or Privacy Team that can be contacted by Miraheze? Yes, privacy@github.com
  • Is the site equipped with a security policy? Yes, see PP
  • Does the site clarify their security measures to protect collected user data? Can the site assure measures are being taken to protect code injection into the loaded external resources? Yes, some details are provided
  • Is the website owner known to have a bad reputation regarding information security? No
  • Is there a Chief Information Security Officer and/or Security Team that can be contacted by Miraheze? Yes

Event Timeline

John triaged this task as Normal priority.Aug 28 2021, 19:36
John created this task.

GitHub's privacy policy covers all of our checklist and therefore would be approved. As far as I can see with shields.io there isn't any additional collection of information beyond what GitHub collects and "No tracking" is mentioned.

GitHub's privacy policy covers all of our checklist and therefore would be approved. As far as I can see with shields.io there isn't any additional collection of information beyond what GitHub collects and "No tracking" is mentioned.

I do not think that is correct. Shields.io does not seem to be hosted by GH Pages which only allows static sites, AFAIK. See https://github.com/badges/shields/blob/master/doc/self-hosting.md which implies you need a server. Also, badges.github.io/shields redirects to https://contributing.shields.io and shields.io does not include the X-GitHub-Request-Id header.

GitHub's privacy policy covers all of our checklist and therefore would be approved. As far as I can see with shields.io there isn't any additional collection of information beyond what GitHub collects and "No tracking" is mentioned.

I do not think that is correct. Shields.io does not seem to be hosted by GH Pages which only allows static sites, AFAIK. See https://github.com/badges/shields/blob/master/doc/self-hosting.md which implies you need a server. Also, badges.github.io/shields redirects to https://contributing.shields.io and shields.io does not include the X-GitHub-Request-Id header.

I see, that is quite confusing, it seemed like a static site hosted by GH pages. Thanks for bringing this to my attention, I'll look further into it.

Owen added a subscriber: Owen.

-> SRE based on the above.