Page MenuHomeMiraheze
Create Task
Maniphest T8003

Review scratchblocks.github.io CSP entry
Closed, ResolvedPublic
Actions

Description

CSP REVIEW: github.com
DISCLAIMER: As far as I can see (this should perhaps be double checked) no extra analytics exist and the owner claims they do not collect data. Github.com is being reviewed here for the purposes of the checklist.

  • Is the site equipped with a privacy policy? Yes
  • Does the site attempt to comply with the GDPR? Can European Union inhabitants invoke their individual rights? Yes
  • Does the site provide a list of personal data being collected by using the service? Yes, see PP
  • Is the website owner known to have a bad reputation regarding privacy? No
  • Can wikis use the external service, even if the visitor wants to deny any cookies or other form of tracking? Yes
  • Will wikis stay usable, even if the visitor blocks the external resource by using an ad blocker? Yes
  • Is there a Data Protection Officer and/or Privacy Team that can be contacted by Miraheze? Needs to be contacted via general support
  • Is the site equipped with a security policy? Yes, part of PP
  • Does the site clarify their security measures to protect collected user data? Can the site assure measures are being taken to protect code injection into the loaded external resources? Yes, see PP
  • Is the website owner known to have a bad reputation regarding information security? No
  • Is there a Chief Information Security Officer and/or Security Team that can be contacted by Miraheze? Needs to be contacted via general support

Related Objects

Event Timeline

Reception123 triaged this task as Normal priority.Sep 7 2021, 16:53
Reception123 created this task.
Herald added a project: MediaWiki (SRE). · View Herald TranscriptSep 7 2021, 16:53
Herald added subscribers: Unknown Object (User), RhinosF1. · View Herald Transcript
Redmin subscribed.Sep 7 2021, 17:29

FYI, I asked an upstream maintainer about this.

Reception123 added a comment.Sep 8 2021, 08:14

Thanks. Just noting that this website seems to be similar to the issue in T7899#160971.

RhinosF1 moved this task from Backlog to Short Term on the MediaWiki (SRE) board.Oct 26 2021, 22:18
Reception123 added a subscriber: Owen.Jan 20 2022, 07:15

@Owen The maintainer claims no data is collected. Is it enough to take their word for it? If not, how else are we supposed to confirm that?

RhinosF1 added a comment.Jan 20 2022, 07:55

It's a github.io site. As far as data collection goes, it's going to be on GitHub's end unless something like analytics is put in the header.

You can confirm via a quick read of the html.

Reception123 updated the task description. (Show Details)Jan 21 2022, 09:24
Reception123 updated the task description. (Show Details)
Reception123 added a comment.Jan 21 2022, 09:27

As mentioned above, as far as I can see (should be double checked) there's no analytics in the header and the owner claims they do not collect data. GitHub has been reviewed for the purpose of the checklist and there's no issues there. I would recommend approval as long as the header is double checked for extra analytics.

(Note: there is a cloudfront.net which part of AWS however there's no indication that any analytics are collected through that? Alternatively, AWS has already been reviewed in T7895 and that task was ultimately declined for other reasons than that AWS didn't pass the review)

Reception123 moved this task from SRE Review to T&S Review on the CSP Review board.Jan 21 2022, 09:27
Reception123 added a project: Trust & Safety.
Dmehus subscribed.EditedJan 23 2022, 21:12
In T8003#174946, @RhinosF1 wrote:

It's a github.io site. As far as data collection goes, it's going to be on GitHub's end unless something like analytics is put in the header.

You can confirm via a quick read of the html.

My understanding is GitHub owns and operates the github.io domain, for their projects' hosted GitHub Pages.

As mentioned above, as far as I can see (should be double checked) there's no analytics in the header and the owner claims they do not collect data. GitHub has been reviewed for the purpose of the checklist and there's no issues there. I would recommend approval as long as the header is double checked for extra analytics.

@Reception123 Wouldn't any domains from external trackers need to be whitelisted against the CSP as well? Or, do you mean direct GitHub, Inc.-operated analytics tools? If that, I think this is probably fine, as GitHub maintains a GDPR-compliant Privacy Policy where users can either request removal of tracking data or even opt out of tracking. Can users outside the European Economic Area and UK opt out of any ad tracking analytics?

Also, for "Does the site clarify their security measures to protect collected user data? Can the site assure measures are being taken to protect code injection into the loaded external resources? Yes, see PP"

Can you link to the specific section referenced in the privacy policy?

Thanks

Reception123 added a comment.Jan 24 2022, 06:38
In T8003#175387, @Dmehus wrote:
In T8003#174946, @RhinosF1 wrote:

It's a github.io site. As far as data collection goes, it's going to be on GitHub's end unless something like analytics is put in the header.

You can confirm via a quick read of the html.

My understanding is GitHub owns and operates the github.io domain, for their projects' hosted GitHub Pages.

As mentioned above, as far as I can see (should be double checked) there's no analytics in the header and the owner claims they do not collect data. GitHub has been reviewed for the purpose of the checklist and there's no issues there. I would recommend approval as long as the header is double checked for extra analytics.

@Reception123 Wouldn't any domains from external trackers need to be whitelisted against the CSP as well? Or, do you mean direct GitHub, Inc.-operated analytics tools? If that, I think this is probably fine, as GitHub maintains a GDPR-compliant Privacy Policy where users can either request removal of tracking data or even opt out of tracking. Can users outside the European Economic Area and UK opt out of any ad tracking analytics?

Also, for "Does the site clarify their security measures to protect collected user data? Can the site assure measures are being taken to protect code injection into the loaded external resources? Yes, see PP"

Can you link to the specific section referenced in the privacy policy?

Thanks

I don't think the analytics would need to be whitelisted separately.

Here is the security section in the PP: https://docs.github.com/en/github/site-policy/github-privacy-statement#how-github-secures-your-information

Reception123 mentioned this in T7889: Review reviservices.com CSP Entry.Jan 31 2022, 08:48
Owen added a comment.Feb 2 2022, 16:22

This can be approved.

Owen moved this task from T&S Review to EM Review on the CSP Review board.Feb 2 2022, 16:22
Reception123 added a subscriber: John.Feb 4 2022, 09:24
John closed this task as Resolved.Feb 6 2022, 13:49
John claimed this task.
John moved this task from EM Review to Completed on the CSP Review board.