Page MenuHomeMiraheze

bilibili.com CSP whitelist
Open, NormalPublic

Description

domain list:


CSP REVIEW

  • Is the site equipped with a privacy policy? Yes
  • Does the site attempt to comply with the GDPR? Can European Union inhabitants invoke their individual rights? Mostly, can opt out through AppsFlyer optout and Firebase through dataprotection@biliintl.com
  • Does the site provide a list of personal data being collected by using the service? Yes, in PP: "What personal information about you that we collect and process and why?"
  • Is the website owner known to have a bad reputation regarding privacy? No
  • Can wikis use the external service, even if the visitor wants to deny any cookies or other form of tracking? Yes, but only video iframes is known to operate without cookies
  • Will wikis stay usable, even if the visitor blocks the external resource by using an ad blocker? Yes
  • Is there a Data Protection Officer and/or Privacy Team that can be contacted by Miraheze? Yes
  • Is the site equipped with a security policy? Yes, see PP
  • Does the site clarify their security measures to protect collected user data? Can the site assure measures are being taken to protect code injection into the loaded external resources? Yes, in PP: "How do we keep your personal information secure?"
  • Is the website owner known to have a bad reputation regarding information security? No
  • Is there a Chief Information Security Officer and/or Security Team that can be contacted by Miraheze? Through email in English: dataprotection@biliintl.com or through their security website in Chinese: Bilibili Security

Event Timeline

Max20091 triaged this task as Normal priority.May 20 2022, 08:49
Max20091 created this task.

It was added once (rPUPCa0ad7), but must've been removed at some point, as it doesn't seem to be in

Since the initial CSP review has been done by a non-SRE user, I will comment on my additional findings.

  • Regarding GDPR, I don't see any specific mentions of GDPR being complied with but relevant elements seem to exist. I'm not sure whether that's enough?
  • Regarding whether measures to protect security are described, it seems like there is a relatively detailed paragraph explaining

Overall, it seems like while Bilbili may have had some problems in the past, it has (as far as I can see) not had any clear issues with reputation, etc. and generally the privacy policy seems appropriate. The main issue would be whether them not specifically making mention of the GDPR would be an issue. I will transfer this to Trust & Safety for the next step, especially to review the GDPR aspect. I would likely say though that on the 'approval' scale, this website would likely be on the lower end.

  • About GDPR, it mostly goes through the 2 third-parties and you can opt-out right on the appsflyer website. For the Firebase, it's probably for people who use Google account on the English platform to sign-in.
  • About privacy reputation from the above article (for the Chinese platform, not English one), it's the article is kinda wrong anyway as you can register account without entering any private information. The only thing that require verify private information is when uploading and commenting which is required by the Chinese government. And technically you can't verify account to upload as a foreign user unless explicit consent by sending an email, the automated verify system only accept Chinese info.

Since the initial CSP review has been done by a non-SRE user, I will comment on my additional findings.

  • Regarding GDPR, I don't see any specific mentions of GDPR being complied with but relevant elements seem to exist. I'm not sure whether that's enough?
  • Regarding whether measures to protect security are described, it seems like there is a relatively detailed paragraph explaining

Overall, it seems like while Bilbili may have had some problems in the past, it has (as far as I can see) not had any clear issues with reputation, etc. and generally the privacy policy seems appropriate. The main issue would be whether them not specifically making mention of the GDPR would be an issue. I will transfer this to Trust & Safety for the next step, especially to review the GDPR aspect. I would likely say though that on the 'approval' scale, this website would likely be on the lower end.

What are the approval scale possibilities?

The concern I have with this website is we've had a number of Terms of Use-related issues, both pre-Trust and Safety and since then, with wikis posting unauthorized personally identifying information, usually involving the BiliBili website in some way. Given the length of time such information was allowed to remain on the BiliBili platform, I'm not terribly confident in the responsiveness of the BiliBili's Data Protection Officer together with BiliBili's legal jurisdiction in which they operate.

What's the specific need here, and, given my concern above, is there not a video sharing site the videos could be posted to and we could whitelist that? For example, YouTube, or, failing that, a site like Google Drive (if that is already whitelisted), the The Internet Archive, or similar.

! In T9252#187988, @Dmehus wrote:
Given the length of time such information was allowed to remain on the BiliBili platform, I'm not terribly confident in the responsiveness of the BiliBili's Data Protection Officer together with BiliBili's legal jurisdiction in which they operate.

Not sure when did you see those stuffs but recently, the Chinese's GDPR equivalent was launched and most of companies in CN are already comply the law.
And yes, the law doesn't have timescale required to process data but if the issue is big enough, the company's reputation will get ruined pretty fast (aka recorded in CN's Social Credit System and you may know how horrible it was).
It is also much faster to remove those by requesting to the gov in case of having serious issues (they do have pages to specifically handle these stuffs).

! In T9252#187988, @Dmehus wrote:
What's the specific need here, and, given my concern above, is there not a video sharing site the videos could be posted to and we could whitelist that? For example, YouTube, or, failing that, a site like Google Drive (if that is already whitelisted), the The Internet Archive, or similar.

There are stuffs that can't be posted outside of the requested page (both personal issues and since most videos on that site mostly have owner's signature embedded), attempting to post the video to other sites is basically breaking the ToS on both sides.
My best bet is to only whitelist player.bilibili.com (aka only video player) in case of security or privacy concerns.

If the end goal is just to get the video player working, you can also consider making a feature request to the EmbedVideo extension. In that way, the CSP is only applied by the extension when needed.

If the end goal is just to get the video player working, you can also consider making a feature request to the EmbedVideo extension. In that way, the CSP is only applied by the extension when needed.

Our CSP overrides anything added by other extensions, so it wouldn't work unless in our CSP also I believe.

What's the specific need here, and, given my concern above, is there not a video sharing site the videos could be posted to and we could whitelist that? For example, YouTube, or, failing that, a site like Google Drive (if that is already whitelisted), the The Internet Archive, or similar.

Bilibili is one of the largest video streaming platform in China. Given the nature of the Great Firewall, visiting other sites is an issue for users resides within China, let alone the copyright issues associated with reuploading. I think it is worth considering because of its popularity, as long as it passes Trust & Safety.

Our CSP overrides anything added by other extensions, so it wouldn't work unless in our CSP also I believe.

Thanks, didn't know that. In that case I do still suggest a feature request to the EmbedVideo fork as it adds a layer of security by asking for explicit user consent to load the iframe and external resources.

@Owen, can you review this? Thanks!