Page MenuHomeMiraheze
Create Task
Maniphest T8008

Readd Facebook to CSP
Closed, ResolvedPublic
Actions

Description

Hello Miraheze!

I posted this on the related task here, but I assumed it wasn't seen because it is closed. However, to recap, I would like to request adding Facebook back to the CSP. My use-case here is that I use Facebook's iFrame Page Plugin to show the newsfeed of the mobile game my wiki is about. They only have Facebook, no Twitter or anything, so I can only use Facebook as a newsfeed, and since I do not use Facebook outside of it, it makes it much easier for me to update my own wiki where there is an update in the game. However, if the security concern is too great, then I can reference it externally instead of on my wiki, it is just a lot less convenient for me.

Still, I implore you to reconsider, as there are other plugins on there that I can see other wikis using, such as certain embedded posts/comments, like buttons, a button to join the wiki's group (if they have a Facebook group), and like me, using the Page Plugin as a newsfeed.

Thank you very much in advance!

Wiki URLhttps://risingbeat.miraheze.org/wiki/Main_Page

CSP REVIEW

  • Is the site equipped with a privacy policy? Yes
  • Does the site attempt to comply with the GDPR? Can European Union inhabitants invoke their individual rights? While GDPR isn't specifically mentioned, Facebook allows you to delete/rectify/etc. your data
  • Does the site provide a list of personal data being collected by using the service? Yes. see PP
  • Is the website owner known to have a bad reputation regarding privacy? It's complicated
  • Can wikis use the external service, even if the visitor wants to deny any cookies or other form of tracking? Unsure
  • Will wikis stay usable, even if the visitor blocks the external resource by using an ad blocker? Likely yes
  • Is there a Data Protection Officer and/or Privacy Team that can be contacted by Miraheze? Yes
  • Is the site equipped with a security policy? Yes, see PP
  • Does the site clarify their security measures to protect collected user data? Can the site assure measures are being taken to protect code injection into the loaded external resources? Don't see any specifics beyond general information
  • Is the website owner known to have a bad reputation regarding information security? No
  • Is there a Chief Information Security Officer and/or Security Team that can be contacted by Miraheze? I don't see any particular way of contact besides generally support

Related Objects

Event Timeline

Kiwibasket created this task.Sep 8 2021, 15:43
Herald added subscribers: Bukkit, Unknown Object (User), RhinosF1 and 2 others. · View Herald TranscriptSep 8 2021, 15:43
Kiwibasket updated the task description. (Show Details)Sep 8 2021, 15:44
Reception123 edited projects, added CSP Review; removed MediaWiki.Sep 9 2021, 09:25
RhinosF1 moved this task from Backlog to Short Term on the MediaWiki (SRE) board.Oct 26 2021, 22:18
Unknown Object (User) updated the task description. (Show Details)Nov 7 2021, 01:09
Unknown Object (User) moved this task from SRE Review to T&S Review on the CSP Review board.

Passing back to T&S since a use-case was determined by this task.

Unknown Object (User) added a project: Trust & Safety.Nov 10 2021, 00:01
Reception123 added subscribers: Dmehus, Owen.Jan 19 2022, 10:39

@Owen @Dmehus ^

Dmehus added a comment.Jan 23 2022, 21:03

@Reception123 For this one, what subdomain is proposed to be being re-added? If it's `*.facebook.com`, I think that would be an over-reach, given the number of ad trackers Facebook uses. I think we would probably re-add the subdomain for linking to user-hosted Facebook images, given that Facebook has European subsidiaries and thus forced to comply with the GDPR.

Reception123 added a comment.Jan 24 2022, 06:36
In T8008#175385, @Dmehus wrote:

@Reception123 For this one, what subdomain is proposed to be being re-added? If it's `*.facebook.com`, I think that would be an over-reach, given the number of ad trackers Facebook uses. I think we would probably re-add the subdomain for linking to user-hosted Facebook images, given that Facebook has European subsidiaries and thus forced to comply with the GDPR.

Yes the images link only would be fine.

Owen added a comment.Feb 2 2022, 16:19
In T8008#175437, @Reception123 wrote:
In T8008#175385, @Dmehus wrote:

@Reception123 For this one, what subdomain is proposed to be being re-added? If it's `*.facebook.com`, I think that would be an over-reach, given the number of ad trackers Facebook uses. I think we would probably re-add the subdomain for linking to user-hosted Facebook images, given that Facebook has European subsidiaries and thus forced to comply with the GDPR.

Yes the images link only would be fine.

Approved for images only.

Owen moved this task from T&S Review to EM Review on the CSP Review board.Feb 2 2022, 16:19
John closed this task as Resolved.Feb 6 2022, 13:54
John claimed this task.
John moved this task from EM Review to Completed on the CSP Review board.
Restricted Repository Identity mentioned this in rPUPC9d31d2082086: T8008: Add fbcdn.net to img-src only.Feb 6 2022, 13:54