Page MenuHomeMiraheze
Create Task
Maniphest T7913

Review pixabay CSP Entry
Closed, ResolvedPublic
Actions

Description

CSP REVIEW

  • Is the site equipped with a privacy policy? Yes, albeit short
  • Does the site attempt to comply with the GDPR? Can European Union inhabitants invoke their individual rights? No, perhaps because it doesn't retain data covered by the GDPR?
  • Does the site provide a list of personal data being collected by using the service? Yes, see PP
  • Is the website owner known to have a bad reputation regarding privacy? No
  • Can wikis use the external service, even if the visitor wants to deny any cookies or other form of tracking? Potentially no "some website features or services may not function properly without cookies."
  • Will wikis stay usable, even if the visitor blocks the external resource by using an ad blocker? Yes
  • Is there a Data Protection Officer and/or Privacy Team that can be contacted by Miraheze? Probably not, general support can be contacted
  • Is the site equipped with a security policy? No
  • Does the site clarify their security measures to protect collected user data? Can the site assure measures are being taken to protect code injection into the loaded external resources? No
  • Is the website owner known to have a bad reputation regarding information security? No
  • Is there a Chief Information Security Officer and/or Security Team that can be contacted by Miraheze? No, probably have to contact general support

Related Objects

Event Timeline

John triaged this task as Normal priority.Aug 28 2021, 19:42
John created this task.
Herald added a subscriber: RhinosF1. · View Herald TranscriptAug 28 2021, 19:42
Unknown Object (User) subscribed.Aug 30 2021, 15:12

Do we know what subdomains are used and why *.pixabay.com is whitelisted instead of specific subdomains such as cdn.pixabay.com?

Unknown Object (User) added a subscriber: Reception123.EditedSep 1 2021, 06:00

I have updated the CSP (merged by @Reception123) to just use cdn.pixabay.com instead of the unnecessary wildcard.

Reception123 updated the task description. (Show Details)Sep 6 2021, 06:54

This seems to me to be similar to T5869#160083 (postimages) in the sense that it doesn't appear that it collects any data covered by the GDPR so therefore it would be able to pass our checklist. T&S should however double check this to make sure that's correct.

Reception123 moved this task from SRE Review to T&S Review on the CSP Review board.Sep 6 2021, 06:56
Reception123 added a project: Trust & Safety.
Owen moved this task from T&S Review to EM Review on the CSP Review board.Sep 10 2021, 16:50
Owen subscribed.

No concerns regarding the lack of mentioning GDPR in the PP, information is only retained for 7 days before being deleted and such collected information relies on consent as the mechanism, not a legitimate interest.

John closed this task as Resolved.Sep 11 2021, 10:19
John claimed this task.
John moved this task from EM Review to Completed on the CSP Review board.