Page MenuHomeMiraheze

player.bilibili.com (and sites related to it) CSP whitelist
Closed, DeclinedPublic

Assigned To
Authored By
Max20091
Nov 12 2022, 07:10
Referenced Files
F2010188: image.png
Jan 22 2023, 12:12
F2010182: image.png
Jan 22 2023, 11:33
F2010149: image.png
Jan 22 2023, 05:04
F2010147: image.png
Jan 22 2023, 05:04
F2010003: redacted.webp
Jan 20 2023, 13:26
Restricted File
Jan 20 2023, 08:16
F1940047: image.png
Nov 12 2022, 07:39
F1940044: image.png
Nov 12 2022, 07:39

Description

domain list:


CSP REVIEW

  • Is the site equipped with a privacy policy? Yes
  • Does the site attempt to comply with the GDPR? Can European Union inhabitants invoke their individual rights? Yes
    • While the GDPR itself is not explicitly mentioned, mentions of PIPL law in China is similar to GDPR, and a section detailing user rights as to their information seems to stricter than GDPR.
    • The site is equipped to respond to user request within 15 days if contacted through their addresses mentioned in privacy policy. I tested that they do respond to foreign personal information (personal information censored) within a day so this seems to comply with GDPR time limit. {F1940022}
    • The site does not seem to collect any personal identifiable information unless you specifically give to them (only if know what to type and successfully register an account which is mostly impossible for oversea user).
  • Does the site provide a list of personal data being collected by using the service? Yes, in PP: "What personal information about you that we collect and process and why?"
  • Is the website owner known to have a bad reputation regarding privacy? No
  • Can wikis use the external service, even if the visitor wants to deny any cookies or other form of tracking? Yes
  • Will wikis stay usable, even if the visitor blocks the external resource by using an ad blocker? Yes
  • Is there a Data Protection Officer and/or Privacy Team that can be contacted by Miraheze? Yes
  • Is the site equipped with a security policy? Yes, see PP
  • Does the site clarify their security measures to protect collected user data? Can the site assure measures are being taken to protect code injection into the loaded external resources? Yes
    • Can be found in 我们对您个人信息的存储与保护 (Our storage and protection of your personal information)
    • The site does not store oversea user data (unless signed up an account) as there is no cross-border storage
    • Only store data for the shortest period necessary
  • Is the website owner known to have a bad reputation regarding information security? Yes, but only their old site source code that doesn't contain any user data
  • Is there a Chief Information Security Officer and/or Security Team that can be contacted by Miraheze? For site security (in Chinese): find at 联系我们 (Contact us). For other unauthorized personal information reports that is not from login account, please contact through China Cyberspace Administration as they will check for any websites within China internet space.

Related Objects

Event Timeline

Max20091 triaged this task as Normal priority.Nov 12 2022, 07:10
Max20091 created this task.
Unknown Object (User) added a comment.Nov 12 2022, 07:14

This has already been declined as I mentioned in the other task. It is the same domain, under same management so the same would likely apply to it.

Testing pulling my own user data using direct CS chat.

image.png (914×807 px, 68 KB)

image.png (922×814 px, 64 KB)


Original text in Chinese
小伙伴这边是中文客服,还辛苦您使用中文进行沟通呢
我想通过我的哔哩哔哩 uid 请求我自己的个人数据:309663921

小伙伴是需要什么数据呢
7 天内观看视频的历史记录

好的,您反馈的情况哔哩哔哩客服已经知悉,马上为您转接到处理该问题的小伙伴那边哦,对话记录是可以保留的,您无须再重新发送,还请稍等不要离开,正在为您转接Loading…

您好,这里是人工客服~我们正在核实确认您提到的问题,还请您不要着急

小伙伴历史记录保留您近90天1200条信息

https://www.bilibili.com/account/history

您可以打开这个链接查看
谢谢

不客气呢 麻烦小伙伴了

Translate of customer services

CS: My friend here is Chinese customer service, and it is hard for you to communicate in English.
Me (in Chinese): I want to request my own personal data through my Bilibili uid: 309663921

CS: What data do you need?
Me: 7 days of video viewing history

CS: OK, Bilibili customer service has learned about your feedback, and will immediately transfer you to the friend who handled the problem. The conversation record can be kept, you don’t need to resend it, please don’t leave after a while, loading data for you…
CS: Hello, here is the manual customer service~ We are verifying the problem you mentioned, please don't worry
CS:The small partner history record keeps 1200 pieces of information about you in the past 90 days
CS: https://www.bilibili.com/account/history (require login own account to see data)
CS: You can open this link to view
Me: Thanks
CS: You're welcome, buddy.

This real-time chat is only accessible if you have a verified Chinese account (if you don't verify then all data are anonymized) and if you specifically request data that require high security access (ie personal information), the chat bot will instead switch to a real person to handle the issue.

As the video watch history is anonymized (CS can't respond to such request and instead redirect user to history page which requires login), it is confirmed that this type of data is compliance with GDPR.
Video watch history is recorded within 90 days and have limit of about 1200 videos.

Unknown Object (User) added subscribers: John, Reception123, Owen.Dec 15 2022, 18:18

Updated CSP request to target specifically Chinese Bilibili, does not apply to global version of Bilibili.
The Chinese site is also not store oversea data as in their Privacy Policy.

@Max20091 I am concerned if it's not possible to contact a Data Protection Officer in English/without a Chinese account. Could you please confirm that?

@Max20091 I am concerned if it's not possible to contact a Data Protection Officer in English/without a Chinese account. Could you please confirm that?

There is an email address for Bilibili Security Team: security@bilibili.com

@Max20091 I am concerned if it's not possible to contact a Data Protection Officer in English/without a Chinese account. Could you please confirm that?

There is an email address for Bilibili Security Team: security@bilibili.com

Since you're the one making the request, would you mind contacting them and seeing?

@Max20091 I am concerned if it's not possible to contact a Data Protection Officer in English/without a Chinese account. Could you please confirm that?

There is an email address for Bilibili Security Team: security@bilibili.com

Since you're the one making the request, would you mind contacting them and seeing?

Sure, what should I ask about?

Hello, seems like security@bilibili.com isn't used anymore, contact through their customer support at help@bilibili.com is much faster.

You can use DeepL translator to translate from English to Chinese.

The fastest way to get response from them is going through their online chat but I need some questions to ask them.

{F2009864}
Testing help@bilibili.com and seems they do read the email.

Title: 关于隐私政策的询问 (Inquiries about the Privacy Policy)
Content: 你好,我可以问一下这个电子邮件是否有效吗? (Hello, may I ask if this email is valid?)

Also using "Privacy Policy" text does mark the email as confidential.

I have tried to get answers from the email about the GDPR but I only received a vague answer (machine translated below): Hello!

"If you encounter related problems, we recommend that you take the infringement complaint process in a timely manner, there are legal staff to verify the processing, please rest assured!"

I have tried to get answers from the email about the GDPR but I only received a vague answer (machine translated below): Hello!

"If you encounter related problems, we recommend that you take the infringement complaint process in a timely manner, there are legal staff to verify the processing, please rest assured!"

Kinda unsurprising, given that this is a Chinese company. While the EU intended for the GDPR to apply worldwide to any company processing data of EU citizens, it would surprise me a lot if Chinese companies cared about what it said. Don't expect any straight answer from them.

Kinda unsurprising, given that this is a Chinese company. While the EU intended for the GDPR to apply worldwide to any company processing data of EU citizens, it would surprise me a lot if Chinese companies cared about what it said. Don't expect any straight answer from them.

Almost all answers are covered in Privacy Policy so no point to ask them about that.
If you notice, Chinese sites doesn't have cookie consents because they don't rely on selling user datas, selling merchs or take a cut from 3rd sellers are way more profit than ads in China.

Since they don't take any data from forgein users (or anonymized, as in their privacy policy) so they did comply GDPR anyway.
Chinese law requires to have separate storage for forgein users, if not then they are not allowed to collect data in anyway.

They have reasons to talk in a very bluntly way. I know that miHoYo (the devs of Genshin Impact) tried to pull user data through Bilibili in a nomal way like send email to them but unsuccessful due to the law doesn't allow them to.
As far as I can tell, only lawsuits can force Bilibili spit out user real name and other stuffs (refers to the infamous "Leaker Hunt Decree").

Almost all answers are covered in Privacy Policy so no point to ask them about that.
If you notice, Chinese sites doesn't have cookie consents because they don't rely on selling user datas, selling merchs or take a cut from 3rd sellers are way more profit than ads in China.

Since they don't take any data from forgein users (or anonymized, as in their privacy policy) so they did comply GDPR anyway.
Chinese law requires to have separate storage for forgein users, if not then they are not allowed to collect data in anyway.

They have reasons to talk in a very bluntly way. I know that miHoYo (the devs of Genshin Impact) tried to pull user data through Bilibili in a nomal way like send email to them but unsuccessful due to the law doesn't allow them to.
As far as I can tell, only lawsuits can force Bilibili spit out user real name and other stuffs (refers to the infamous "Leaker Hunt Decree").

I tried navigating their Chinese website without NoScript and uBlock Origin. They're running a fingerprint script, I've attached a heavily redacted version of the report they're sending to their server. Redacted information includes WebGL fingerprint results, GPU driver name, screen and browser window resolutions, an UUID, part of the User-Agent header (this one though they already get without needing fingerprinting) and many suspicious-looking numbers. It is known that anonymized data ends up not being as anonymized as initially thought most of the time. Whether or not this gets approved is ultimately not my decision, but just on the fact that they're running a fingerprint script + no mention of the GDPR, if I were the one to decide this, I would decline this instantly.

I tried navigating their Chinese website without NoScript and uBlock Origin. They're running a fingerprint script, I've attached a heavily redacted version of the report they're sending to their server. Redacted information includes WebGL fingerprint results, GPU driver name, screen and browser window resolutions, an UUID, part of the User-Agent header (this one though they already get without needing fingerprinting) and many suspicious-looking numbers. It is known that anonymized data ends up not being as anonymized as initially thought most of the time. Whether or not this gets approved is ultimately not my decision, but just on the fact that they're running a fingerprint script + no mention of the GDPR, if I were the one to decide this, I would decline this instantly.

You can actually track people without a consent as long as

  • Information can't identify who they are.
  • Only used for analysis
  • Not connected to other websites
  • Have accurate information in PP

This is how MH and many other websites can track people without require consents.
Even more, there will be no cookie banner if you don't use any tracking cookies (still GDPR compliant).
GDPR is worse as you need to prove that info can cause damage, unlike PIPL requires the other party to prove themselves did nothing wrong.

Unless you can point out the issue within their privacy policy, Bilibili is GDPR compliant as far as I can see.

You can actually track people without a consent as long as

  • Information can't identify who they are.
  • Only used for analysis
  • Not connected to other websites
  • Have accurate information in PP

This is how MH and many other websites can track people without require consents.
Even more, there will be no cookie banner if you don't use any tracking cookies (still GDPR compliant).
GDPR is worse as you need to prove that info can cause damage, unlike PIPL requires the other party to prove themselves did nothing wrong.

Unless you can point out the issue within their privacy policy, Bilibili is GDPR compliant as far as I can see.

That information can easily identify people, especially because I bet that is being shared with ad networks as part of a targeted advertising profile (so not only for analytics, and is connected to other websites through the ad network). The article I linked to talks about how supposedly anonymized data is not all that anonymous.

No, Miraheze doesn't do this. The only information they collect that's not already available as a result of basic web browsing (through Matomo, which is being sent to a server under their control, and not being shared with anyone, important difference here) is screen resolution, through a POST request to https://matomo.miraheze.org/matomo.php. That's a far cry from full-blown fingerprinting.

They may not use tracking cookies, (though I bet they do too), but that's just the law not adapting well to "new" technologies. Fingerprinting like this is essentially the same as a tracking cookie.

Correction: It is shared, in the same "anonymized" way, but at least it doesn't look like you could draw identifying information about any given user. Still recommend just blocking that POST anyway.

Be aware that this is not Google or something that is highly invasive in the west, Chinese companies like Bilibili mostly don't share data with third parties so it does comply with GDPR easily.
You can read about their statement in "我们如何共享、转让、公开披露您的个人信息".

I think we need someone to thoroughly check all of Bilibili privacy policies before final concludes rather than getting rejected without a way to appeal like the last time.
The only issue left is the PP texts.

@OrangeStar can you test this link and see if they collect anything? https://player.bilibili.com/player.html?bvid=1Hz4y1k7ae
This task is only targeting the video player, not other parts of the site so the scope should be only player.bilibili.com (and stuffs related to it)
Didn't see anything suspicious in this link like pseudo anonymised data.

Unknown Object (User) added a comment.Jan 20 2023, 18:17

My advice as it has always been is to decline this. There is to many unknowns here, and in my opinion, provides a risk.

Be aware that this is not Google or something that is highly invasive in the west, Chinese companies like Bilibili mostly don't share data with third parties so it does comply with GDPR easily.
You can read about their statement in "我们如何共享、转让、公开披露您的个人信息".

That fingerprinting to build advertising profiles makes me think they do, so don't be so fast to say that they comply with the GDPR.

I think we need someone to thoroughly check all of Bilibili privacy policies before final concludes rather than getting rejected without a way to appeal like the last time.
The only issue left is the PP texts.

Apparently Bilibili has 2 domains, bilibili.com, which is the Chinese version, and the worldwide bilibili.tv, according to Wikipedia. There seems to be an English version of the policy at https://web.archive.org/web/20230113020923/https://www.bilibili.com/blackboard/protocal/international_en_privacy.html, last updated September 29, 2021.

Interpreting it is not my work, but I just want to say 1 thing: In the fifth point of the 2nd section, "Who do we share your personal information with?", the third parties serving these targeted ads go unnamed, it says they exist, but doesn't say who they are. Article 13 of the GDPR requires disclosing to the data subject "the recipients or categories of recipients of the personal data, if any;".

@OrangeStar can you test this link and see if they collect anything? https://player.bilibili.com/player.html?bvid=1Hz4y1k7ae
This task is only targeting the video player, not other parts of the site so the scope should be only player.bilibili.com (and stuffs related to it)
Didn't see anything suspicious in this link like pseudo anonymised data.

I can't for some reason. I've taken a look at the source: there's trivial inline scripts, open-source libraries like jQuery and an minified script with copyright Microsoft Corporation, Apache 2.0 license, without accompanying source code (it has a sourceMappingUrl comment, but it points nowhere). A quick look reveals that the script uses XMLHttpRequest, so it could very well pull in additional scripts, like the fingerprint script.

That fingerprinting to build advertising profiles makes me think they do, so don't be so fast to say that they comply with the GDPR.

Chinese advertising profiles are very different than the "global" version one. I did test many years now and didn't see any non-Chinese ads on their Chinese platform.
They even block watching movies when not being Chinese users so it doesn't really make senses to them build advertising profiles for non-Chinese users.
And unless you can prove they did used your data for advertising purposes, GDPR can't help you to know if they ever sell your data to others. Chinese PIPL on the other hand requires company to prove themselves innocent so you can just sue them on the online court and they will spit out everything they do about your data.

Apparently Bilibili has 2 domains, bilibili.com, which is the Chinese version, and the worldwide bilibili.tv, according to Wikipedia. There seems to be an English version of the policy at https://web.archive.org/web/20230113020923/https://www.bilibili.com/blackboard/protocal/international_en_privacy.html, last updated September 29, 2021.

Interpreting it is not my work, but I just want to say 1 thing: In the fifth point of the 2nd section, "Who do we share your personal information with?", the third parties serving these targeted ads go unnamed, it says they exist, but doesn't say who they are. Article 13 of the GDPR requires disclosing to the data subject "the recipients or categories of recipients of the personal data, if any;".

The bilibili.tv website doesn't specifically target its services at individuals in the EU so it is not subject to the rules of the GDPR. Only bilibili.com which I'm request CSP here is subjected to the rules of GDPR.
This article 3 of gdpr.eu explains when GDPR applies to non-EU sites
And unlikely someone in MH would provide services using bilibili.tv anyway.

I can't for some reason. I've taken a look at the source: there's trivial inline scripts, open-source libraries like jQuery and an minified script with copyright Microsoft Corporation, Apache 2.0 license, without accompanying source code (it has a sourceMappingUrl comment, but it points nowhere). A quick look reveals that the script uses XMLHttpRequest, so it could very well pull in additional scripts, like the fingerprint script.

The last time you tested was some sort of "game event" website rather than watching videos so they might just collect WebGL data for fixing bug purposes.
The only one you can embed using bilibili.com website is their video player so that's why I'm request CSP for only that site.

I don't think they would collect pseudo anonymized data for advertising purposes.
Otherwise they would face lawsuits easily given that there are lots of competitors and many of them wants to shut down their competitors by any means.

If I'm being honest, the fact that there's so much debate and uncertainties here does tend to lead to the conclusion that things are not quite in order. As I have said, I am not satisfied with the response I was given related to my GDPR query.

So I'd say unless (a) we are able to confirm that there is strict GDPR compliance OR equivalent compliance AND (b) the part about fingerprinting is not true and that can be confirmed, this would have to be declined.

@Max20091 You're right, I was unable to reproduce that specific request when watching videos (by the way, that data is being sent to https://api.bilibili.com/x/internal/gaia-gateway/ExClimbWuzhi by the script https://s1.hdslb.com/bfs/seed/log/report/log-reporter.js), but I could see it at https://www.bilibili.com/blackboard/activity-kMBqLRJlBd.html. However, I'm not convinced that this is done for debugging purposes, as

  • there is no interactive game at that page that would make use of WebGL features, only videos. Therefore, there's no legitimate need for that page to use WebGL stuff at all
  • The information included in that report is mostly not relevant for debugging a WebGL application, like the Accept-Language header (the en-US string at redacted.webp), the UUID (which I discovered is retrieved from the _uuid cookie), a timezone (which is one of the redacted values at redacted.webp), browser and screen resolutions, and the many unexplained shady numbers, which I suspect are the result of looking for other browser features or performing canvas fingerprinting.
  • The way this data is being sent is just nonsensical. They could easily retrieve this stuff and send it in a properly-formatted JSON, yet everything is sent wrapped in a "payload" key on a JSON, which tells me that API could be a proxy that sends this data to whatever company is doing targeted advertisements, and that they themselves (bilibili) don't know what is being collected. While looking at other JSON POST requests everything is properly formatted and has appropriate JSON key names, even the ones for retrieving ads, this one is different to all the other requests. However, this is more speculation than anything, could be totally wrong here.

I believe this is still being done with the purpose of targeted advertisement.

As for article 3 of the GDPR, they're clearly monitoring user behavior (including mine, the behavior of a citizen of Spain, a member of the EU), so were we to accept that the GDPR applies to entities outside of the EU (I couldn't find any info on China's stance on the GDPR.), they are obligated to follow it under 3.2a and 3.2b.

As for the lawsuit part, Facebook has been hit with sanction over sanction for GDPR violations, the most recent one I could find was an over 400 million euro sanction because of their targeted advertisement practices (https://www.theverge.com/2023/1/4/23538750/ireland-dpc-meta-instagram-facebook-gdpr-violation-fines). However, sharing data with shady data brokers just pays so well that the big tech companies can afford to just ignore these laws and fight these cases in court instead of not doing shady things.

Additionally, while looking at POST requests made while watching videos, I found that bilibili had set a cookie named fingerprint.

(a) we are able to confirm that there is strict GDPR compliance OR equivalent compliance

From reputable law comparision between Chinese PIPL and EU GDPR: https://iapp.org/news/a/analyzing-chinas-pipl-and-how-it-compares-to-the-eus-gdpr/
Likely equivalent compliance or stronger but with few edits here and there to fit 1.4 billion people.

There is an issue with the PIPL law itself that only requires processing entities to “timely” response. But Bilibili does declare that they do response within 15 days which compliant with GDPR's 30 days to respond.

(b) the part about fingerprinting is not true and that can be confirmed, this would have to be declined.

Other sites got approved despite fingerprinting people, yet getting approved but not this? How exactly CSP approval process works?
And I only request player.bilibili.com which is likely not having fingerprints (as far as I checked on my browser), not the whole *.bilibili.com which may have *security risks*.
I know the last time *.bilibili.com got rejected due to covers way too large and I narrow down to just the video player (player.bilibili.com) in this task to make it easier to pass CSP.

Other sites got approved despite fingerprinting people, yet getting approved but not this? How exactly CSP approval process works?

Technically additions to the CSP are solely dependent on first being approved by SRE (of which Reception is a member), then Trust and Safety. I'm just a regular user joining this task because I saw that fingerprint script. I can't do anything about the other websites, but if I could I likely would have tried to prevent their addition.

This comment was removed by Max20091.

"Other sites got approved despite fingerprinting people" - which ones are those?

I've been taking a deeper look into the fingerprinter, just running it through a beautifier revealed part of what all the suspicious numbers are about.

Apart from all the already-know information, the script indeed performs canvas fingerprinting, attempts to detect browsers lying about user-agents (this can be the case if you installed an extension that allows setting custom user agent headers), retrieves the number of logical processors (aka: cores), performs audio fingerprinting (more about that here), attempts to retrieve the amount of memory, checks the available fonts, checks if indexedDB is available(? I don't know yet if it just checks if it exists or it's looking for something more, probably just checks if it exists), and much, much more. Pretty cool, huh?

I also found this:

throw new Error("'new Fingerprint()' is deprecated, see https://github.com/fingerprintjs/fingerprintjs#upgrade-guide-from-182-to-200")

So now we also know what fingerprint script they're running.

It is also pretty cool how the guys behind fingerprintjs (who also operate fingerprint.com) call this BS a "security measure". Rule nº1 of security: do not trust any third-party-provided values. They should know they are bullshitting and the only real use for this is tracking people.

"Other sites got approved despite fingerprinting people" - which ones are those?

youtube.com
twitter.com
spotify.com
bing.com
google.com

I've been taking a deeper look into the fingerprinter, just running it through a beautifier revealed part of what all the suspicious numbers are about.

Apart from all the already-know information, the script indeed performs canvas fingerprinting, attempts to detect browsers lying about user-agents (this can be the case if you installed an extension that allows setting custom user agent headers), retrieves the number of logical processors (aka: cores), performs audio fingerprinting (more about that here), attempts to retrieve the amount of memory, checks the available fonts, checks if indexedDB is available(? I don't know yet if it just checks if it exists or it's looking for something more, probably just checks if it exists), and much, much more. Pretty cool, huh?

I also found this:

throw new Error("'new Fingerprint()' is deprecated, see https://github.com/fingerprintjs/fingerprintjs#upgrade-guide-from-182-to-200")

So now we also know what fingerprint script they're running.

It is also pretty cool how the guys behind fingerprintjs (who also operate fingerprint.com) call this BS a "security measure". Rule nº1 of security: do not trust any third-party-provided values. They should know they are bullshitting and the only real use for this is tracking people.

More likely for fraud detection.
https://fingerprint.com/resources/frequently-asked-questions-faqs/

image.png (278×750 px, 53 KB)

image.png (154×750 px, 28 KB)

But again, as it is never reveal PII (personally identifiable information) in the first place, it does not require consent and is GDPR compliant

@OrangeStar Could you please show me which script includes the fingerprint tracking method, and where it is? I tried beautifying the Javascript from player.bilibili.com and searching "fingerprint" in it, but nothing was found.
I doubt you are visiting www.bilibili.com instead of player.bilibili.com. The whole bilibili website is too huge, contains lots of complex stuff, and is definitely hard for Miraheze T&S Team, so we narrowed it down to player.bilibili.com - only the embedded player itself.

image.png (343×526 px, 22 KB)

By the way, I'm trying to contact the Bilibili technology team through their official account on Bilibili itself and invite them to join our discussion here. Here are my current messages:

image.png (931×1 px, 145 KB)

Translation:

  • Hello, I'd like to know information about the data collection of Bilibili's external embedded HTML5 player(player.bilibili.com).
  • Here's the background. I'm hosting a wiki on Miraheze, and I really want to embed Bilibili's HTML5 player in it. However, Miraheze has strict rules on data security and requires all external contents in wiki pages must comply with GDPR strictly, so they can add them to the CSP whitelist. Previously we tried to request adding bilibili.com to the whitelist, but was finally declined due to lots of uncertainty and the source code leaking affair. Now we are trying to request adding only player.bilibili.com to the whitelist because we find that it's simpler and sets fewer cookies. Now Miraheze needs to confirm whether the HTML5 player strictly complies with GDPR or an equivalence policy and whether the player's script contains fingerprint tracking stuff, so I hope I can know about it.
  • Our discussion about this issue is public, so if you don't want to tell me something about it, you can visit our discussion page and reply to it. Here's the link: https://phabricator.miraheze.org/T9953
  • Really hope for your early reply!

The script is at https://s1.hdslb.com/bfs/seed/log/report/log-reporter.js, it is included on every page at the main website.

Finally the embedded player works for me (I visited https://player.bilibili.com/player.html?bvid=BV1GD4y1p78U), so I've taken every request under scrutiny. The embedded player seems OK to me, I didn't see anything (too) suspicious, doesn't include the script above most importantly. As for domains needed for the player to work:

  • player.bilibili.com needs permission to serve HTML and JS.
  • It must be able to make JSON requests to api.bilibili.com, a request is done to query for metadata related to the video, such as the picture, video owner, subtitles, that kind of stuff.
  • It must be able to download images from static.hdslb.com.
  • It attempts to open a websocket with broadcast.chat.bilibili.com:4095/sub.
  • The actual video is downloaded from upos-hz-mirrorakam.akamaized.net
  • Some GET requests are sent to data.bilibili.com, containing in its parameters what video player is being used (I suppose these sites still support flash) and many unknown-purpose numbers, though nothing makes me think they are fingerprinting here.
  • A series of images are downloaded from bimp.hdslb.com, i0.hdslb.com, i1.hdslb.com and i2.hdslb.com

So, to summarize:

Images:static.hdslb.combimp.hdslb.comi0.hdslb.comi1.hdslb.comi2.hdslb.com
Scripts:player.bilibili.com
API:api.bilibili.comdata.bilibili.com
WSS:broadcast.chat.bilibili.com
Video:upos-hz-mirrorakam.akamaized.net

The first one can be summarized as "allow images from *.hdslb.com". Don't recommend allowing scripts as that's the place where the fingerprint script is hosted.

Reception123 claimed this task.

This task has generated a lot of debate and both sides have been considered, as well as observations by the T&S team in the T9252 task. Unfortunately, I have come to the conclusion that the different concerns expressed by T&S in that previous task have not been sufficiently addressed and the circumstances mentioned haven't changed since then. In addition, a CSP whitelist addition requiring so much debate and back and forth is in itself an indication that there are concerns to be had.

I apologize for the inconvenience caused by this decline, but until all the concerns are addressed and the site fulfils our CSP policy we are unable to allow it.