Page MenuHomeMiraheze
Create Task
Maniphest T9214

Allow LucidChart iframes in CSP
Closed, ResolvedPublic
Actions

Description

Wiki URLinfomedia.miraheze.org

I would like to be able to embed LucidChart flow diagrams onto our Wiki, but the iframes are currently not rendering. Is there any way to enable this?

Here is a sample embed code:

<div style="width: 640px; height: 480px; margin: 10px; position: relative;"><iframe allowfullscreen frameborder="0" style="width:640px; height:480px" src="https://lucid.app/documents/embedded/7f04103a-35cc-4d7b-83b0-0d3be8c30d71" id="DGyf2k4KUvZ8"></iframe></div>

Requested domains: lucid.app

Reason: See above request

Related Links:

CSP REVIEW: lucid.app

  • Is the site equipped with a privacy policy? Yes
  • Does the site attempt to comply with the GDPR? Can European Union inhabitants invoke their individual rights? Yes, while the GDPR itself is not explicitly mentioned, mentions of EEA residents are made as well as California's privacy law which is similar to the GDPR, and a section detailing user rights as to their information which seems to match GDPR requirements
  • Does the site provide a list of personal data being collected by using the service? Yes, see PP
  • Is the website owner known to have a bad reputation regarding privacy? No indication of this
  • Can wikis use the external service, even if the visitor wants to deny any cookies or other form of tracking? some features may not work, but generally seems ok
  • Will wikis stay usable, even if the visitor blocks the external resource by using an ad blocker? Yes, likely
  • Is there a Data Protection Officer and/or Privacy Team that can be contacted by Miraheze? Yes, specific email - privacy@lucid.co
  • Is the site equipped with a security policy? Part of Privacy policy
  • Does the site clarify their security measures to protect collected user data? Can the site assure measures are being taken to protect code injection into the loaded external resources? No specifics are given, only general assurances are made
  • Is the website owner known to have a bad reputation regarding information security? No evidence of this
  • Is there a Chief Information Security Officer and/or Security Team that can be contacted by Miraheze? Doesn't seem to be a specific one, general support (or privacy) can likely be contacted

Related Objects

Event Timeline

Aaron.catlin created this task.May 12 2022, 09:03
Herald added subscribers: Agent_Isai, Unknown Object (User), RhinosF1, Reception123. · View Herald TranscriptMay 12 2022, 09:03
RhinosF1 edited projects, added CSP Review, Configuration; removed MediaWiki.May 12 2022, 09:09

This would need a CSP review

Ugochimobi renamed this task from Allow LucidChart iframes to Review lucid.app CSP entry.May 12 2022, 09:11
RhinosF1 renamed this task from Review lucid.app CSP entry to Allow LucidChart iframes in CSP.May 12 2022, 09:13
RhinosF1 updated the task description. (Show Details)
Aaron.catlin added a comment.May 12 2022, 09:15

Just to check that you're not looking for input on me on this and the review is something the miraheze team will do?

RhinosF1 added a subscriber: Owen.May 12 2022, 09:17

Normally @Reception123 and @Owen do them

Aaron.catlin added a comment.May 23 2022, 08:51

Please can I have an update on this?

Reception123 updated the task description. (Show Details)May 24 2022, 18:13
In T9214#187660, @Aaron.catlin wrote:

Please can I have an update on this?

Sorry for the delay, I have now reviewed the website and the next step will be for our Trust & Safety team to review it.

(Comments: lucidapp.com/lucid.co seems to generally adhere to our checklist and there don't seem to be any particular issues, so this should be good to approve). Passing onto T&S for review.

Reception123 updated the task description. (Show Details)May 24 2022, 18:14
Reception123 moved this task from SRE Review to T&S Review on the CSP Review board.
Reception123 added a project: Trust & Safety.
Dmehus subscribed.EditedMay 26 2022, 06:24
In T9214#187810, @Reception123 wrote:
In T9214#187660, @Aaron.catlin wrote:

Please can I have an update on this?

Sorry for the delay, I have now reviewed the website and the next step will be for our Trust & Safety team to review it.

(Comments: lucidapp.com/lucid.co seems to generally adhere to our checklist and there don't seem to be any particular issues, so this should be good to approve). Passing onto T&S for review.

Looking at the way Lucid.app's set up, Stewards or Interwiki Administrators may be able to add an interwiki prefix for you locally, with transclusion enabled, which may facilitate the same aims.

That being said, this seems to be a simple document viewer, not unlike Google Docs or CryptPad. I'll take a look a closer look at their Privacy Policy in the next couple of days, but I do agree this does look to be on the higher end of SRE's approval threshold and quite possibly will be approved. I would want to look more closely into this:

Yes, while the GDPR itself is not explicitly mentioned, mentions of EEA residents are made as well as California's privacy law which is similar to the GDPR, and a section detailing user rights as to their information which seems to match GDPR requirements

The California privacy law may be similar, but it is not equivalent to the UK Data Protection Act, so I want to look into those specific references around jurisdiction and data handling.

Aaron.catlin added a comment.Jun 6 2022, 13:06

Hi,

I have found this page related to LucidChart and their GDPR compliance: https://lucid.co/gdpr-compliance

Hopefully this helps wrap things up.

Thanks

Bukkit subscribed.Jun 16 2022, 23:42
Bukkit added a comment.Jun 17 2022, 15:35

I have made a pull request for if this gets approved.

Aaron.catlin added a comment.Jun 28 2022, 09:22

Please can we have an update on this?

Agent_Isai added a comment.Jul 4 2022, 07:42

@Owen, can you review this? Thanks!

Owen moved this task from Backlog to External on the Trust & Safety board.Jul 17 2022, 14:35
Owen moved this task from T&S Review to EM Review on the CSP Review board.Jul 17 2022, 15:15

Approved from my perspective.

Unknown Object (User) added a subscriber: John.Aug 14 2022, 05:53
Herald removed a subscriber: RhinosF1. · View Herald TranscriptAug 14 2022, 05:53
Reception123 assigned this task to John.Aug 14 2022, 17:11
Unknown Object (User) moved this task from Backlog to Short Term on the MediaWiki (SRE) board.Sep 12 2022, 22:12
Unknown Object (User) removed a project: Configuration.Sep 13 2022, 16:33
John moved this task from EM Review to Pending Addition on the CSP Review board.Sep 18 2022, 17:46
John closed this task as Resolved.Sep 18 2022, 17:52
John moved this task from Pending Addition to Completed on the CSP Review board.
Restricted Repository Identity mentioned this in rPUPC8a724385771f: T9214: Add lucidcharts.Sep 18 2022, 17:53