T11139: Using Extension:Video, the height of the embedded mp4 player is incorrect
I mean it have incorrect resolution due to some sort of broken transcoding.
The bug affects EmbedVideo extension.

I tried these things but didn't work:

• Cleared browser cache
• Purged pages
• Edited sidebar

In T9953#208018, @OrangeStar wrote:

I've been taking a deeper look into the fingerprinter, just running it through a beautifier revealed part of what all the suspicious numbers are about.

Apart from all the already-know information, the script indeed performs canvas fingerprinting, attempts to detect browsers lying about user-agents (this can be the case if you installed an extension that allows setting custom user agent headers), retrieves the number of logical processors (aka: cores), performs audio fingerprinting (more about that here), attempts to retrieve the amount of memory, checks the available fonts, checks if indexedDB is available(? I don't know yet if it just checks if it exists or it's looking for something more, probably just checks if it exists), and much, much more. Pretty cool, huh?

I also found this:

throw new Error("'new Fingerprint()' is deprecated, see https://github.com/fingerprintjs/fingerprintjs#upgrade-guide-from-182-to-200")

So now we also know what fingerprint script they're running.

It is also pretty cool how the guys behind fingerprintjs (who also operate fingerprint.com) call this BS a "security measure". Rule nº1 of security: do not trust any third-party-provided values. They should know they are bullshitting and the only real use for this is tracking people.

More likely for fraud detection.
https://fingerprint.com/resources/frequently-asked-questions-faqs/

In T9953#207983, @Reception123 wrote:

"Other sites got approved despite fingerprinting people" - which ones are those?

youtube.com
twitter.com
spotify.com
bing.com
google.com

In T9953#207925, @Reception123 wrote:

(a) we are able to confirm that there is strict GDPR compliance OR equivalent compliance

From reputable law comparision between Chinese PIPL and EU GDPR: https://iapp.org/news/a/analyzing-chinas-pipl-and-how-it-compares-to-the-eus-gdpr/
Likely equivalent compliance or stronger but with few edits here and there to fit 1.4 billion people.

In T9953#207818, @OrangeStar wrote:

That fingerprinting to build advertising profiles makes me think they do, so don't be so fast to say that they comply with the GDPR.

Chinese advertising profiles are very different than the "global" version one. I did test many years now and didn't see any non-Chinese ads on their Chinese platform.
They even block watching movies when not being Chinese users so it doesn't really make senses to them build advertising profiles for non-Chinese users.
And unless you can prove they did used your data for advertising purposes, GDPR can't help you to know if they ever sell your data to others. Chinese PIPL on the other hand requires company to prove themselves innocent so you can just sue them on the online court and they will spit out everything they do about your data.

Apparently Bilibili has 2 domains, bilibili.com, which is the Chinese version, and the worldwide bilibili.tv, according to Wikipedia. There seems to be an English version of the policy at https://web.archive.org/web/20230113020923/https://www.bilibili.com/blackboard/protocal/international_en_privacy.html, last updated September 29, 2021.

Interpreting it is not my work, but I just want to say 1 thing: In the fifth point of the 2nd section, "Who do we share your personal information with?", the third parties serving these targeted ads go unnamed, it says they exist, but doesn't say who they are. Article 13 of the GDPR requires disclosing to the data subject "the recipients or categories of recipients of the personal data, if any;".

The bilibili.tv website doesn't specifically target its services at individuals in the EU so it is not subject to the rules of the GDPR. Only bilibili.com which I'm request CSP here is subjected to the rules of GDPR.
This article 3 of gdpr.eu explains when GDPR applies to non-EU sites
And unlikely someone in MH would provide services using bilibili.tv anyway.

I can't for some reason. I've taken a look at the source: there's trivial inline scripts, open-source libraries like jQuery and an minified script with copyright Microsoft Corporation, Apache 2.0 license, without accompanying source code (it has a sourceMappingUrl comment, but it points nowhere). A quick look reveals that the script uses XMLHttpRequest, so it could very well pull in additional scripts, like the fingerprint script.

The last time you tested was some sort of "game event" website rather than watching videos so they might just collect WebGL data for fixing bug purposes.
The only one you can embed using bilibili.com website is their video player so that's why I'm request CSP for only that site.

Be aware that this is not Google or something that is highly invasive in the west, Chinese companies like Bilibili mostly don't share data with third parties so it does comply with GDPR easily.
You can read about their statement in "我们如何共享、转让、公开披露您的个人信息".

In T9953#207778, @OrangeStar wrote:

I tried navigating their Chinese website without NoScript and uBlock Origin. They're running a fingerprint script, I've attached a heavily redacted version of the report they're sending to their server. Redacted information includes WebGL fingerprint results, GPU driver name, screen and browser window resolutions, an UUID, part of the User-Agent header (this one though they already get without needing fingerprinting) and many suspicious-looking numbers. It is known that anonymized data ends up not being as anonymized as initially thought most of the time. Whether or not this gets approved is ultimately not my decision, but just on the fact that they're running a fingerprint script + no mention of the GDPR, if I were the one to decide this, I would decline this instantly.

redacted.webp61 KBDownload

@OrangeStar wrote:

Kinda unsurprising, given that this is a Chinese company. While the EU intended for the GDPR to apply worldwide to any company processing data of EU citizens, it would surprise me a lot if Chinese companies cared about what it said. Don't expect any straight answer from them.

Title: 关于隐私政策的询问 (Inquiries about the Privacy Policy)
Content: 你好，我可以问一下这个电子邮件是否有效吗？ (Hello, may I ask if this email is valid?)

Hello, seems like security@bilibili.com isn't used anymore, contact through their customer support at help@bilibili.com is much faster.

Reopen as the houkai2nd.miraheze.org still point to houkai2.cyou

Updated CSP request to target specifically Chinese Bilibili, does not apply to global version of Bilibili.
The Chinese site is also not store oversea data as in their Privacy Policy.

This real-time chat is only accessible if you have a verified Chinese account (if you don't verify then all data are anonymized) and if you specifically request data that require high security access (ie personal information), the chat bot will instead switch to a real person to handle the issue.

Testing pulling my own user data using direct CS chat.

In T9551#195380, @Ugochimobi wrote:

What do you intend to do? What do you want to do exactly?

Seems like not working as expected, can you replace the old one with this?

http://houkai2.cyou/

and then run refreshLinks.php

I'm not even sure how to configure this extension unless testing it multiple times to get the expected result.

Sorry for necro this task but seems to happened on custom domain: https://houkai2.cyou/
Tested clearing cache and cookie, used Edge and Chrome.

I have pointed the domain to only miraheze but not sure if there's something wrong.
Checked whois and indeed only ns2.miraheze.org and ns1.miraheze.org

already pointed to Miraheze, not sure if this is correct

In T9252#192883, @Owen wrote:

In T9252#187988, @Dmehus wrote:

The concern I have with this website is we've had a number of Terms of Use-related issues, both pre-Trust and Safety and since then, with wikis posting unauthorized personally identifying information, usually involving the BiliBili website in some way. Given the length of time such information was allowed to remain on the BiliBili platform, I'm not terribly confident in the responsiveness of the BiliBili's Data Protection Officer together with BiliBili's legal jurisdiction in which they operate.

Is a concern that has been raised and given our previous experiences with it, unless evidence can be shown that this has drastically improved, I will side with Doug on this and not agree to approve.

@Agent_Isai seems to work now.

Are there anyway to handle that automatically with mediawiki?
The wikitext I used was

[[File:Who killed Cock Robin? 5 Stars.png|200px]]

I checked around and noticed that pages that never got edited after imported (or after updated MW) seems to have this kind of issue.
Edit: Alright, I can fix the issue myself since there are very few pages needs to be fixed.

This is UnusedFiles, not WantedFiles.
The file https://houkai2nd.miraheze.org/wiki/File:Infinite_ammo_during_combat.png is used in https://houkai2nd.miraheze.org/wiki/Category:Infinite_ammo but was listed as unused which is kind of weird.

Definitely not infobox bug, checked another file that got the same issue
https://houkai2nd.miraheze.org/wiki/File:Infinite_ammo_during_combat.png
https://houkai2nd.miraheze.org/wiki/Category:Infinite_ammo

Seems like the wiki is working normal now

! In T9252#187988, @Dmehus wrote:
Given the length of time such information was allowed to remain on the BiliBili platform, I'm not terribly confident in the responsiveness of the BiliBili's Data Protection Officer together with BiliBili's legal jurisdiction in which they operate.

Not sure when did you see those stuffs but recently, the Chinese's GDPR equivalent was launched and most of companies in CN are already comply the law.
And yes, the law doesn't have timescale required to process data but if the issue is big enough, the company's reputation will get ruined pretty fast (aka recorded in CN's Social Credit System and you may know how horrible it was).
It is also much faster to remove those by requesting to the gov in case of having serious issues (they do have pages to specifically handle these stuffs).

! In T9252#187988, @Dmehus wrote:
What's the specific need here, and, given my concern above, is there not a video sharing site the videos could be posted to and we could whitelist that? For example, YouTube, or, failing that, a site like Google Drive (if that is already whitelisted), the The Internet Archive, or similar.

There are stuffs that can't be posted outside of the requested page (both personal issues and since most videos on that site mostly have owner's signature embedded), attempting to post the video to other sites is basically breaking the ToS on both sides.
My best bet is to only whitelist player.bilibili.com (aka only video player) in case of security or privacy concerns.

• About GDPR, it mostly goes through the 2 third-parties and you can opt-out right on the appsflyer website. For the Firebase, it's probably for people who use Google account on the English platform to sign-in.
• About privacy reputation from the above article (for the Chinese platform, not English one), it's the article is kinda wrong anyway as you can register account without entering any private information. The only thing that require verify private information is when uploading and commenting which is required by the Chinese government. And technically you can't verify account to upload as a foreign user unless explicit consent by sending an email, the automated verify system only accept Chinese info.