First thing I noticed was a file called google-chart.js that calls out to Google from wikipedia.org.

please note that while this is the initial upload, it's not the final version. we are expecting more changes/development to happen via Gerrit.

I believe our due date here is _before_ 15 January 2016, because @Heather said "15 January 2001" on T599.

https://gerrit.wikimedia.org/r/#/c/254614/1 says WIP, is this really ready for a security review?

I think we can't have it both ways and ask for a review before anything is merged but also expect it to be ready in first commit and that development is happening in incremental steps in public.

Added some general comments. Licensing does need to be figured out too.

I've just submitted a Patch that include a license. Also, we are no longer using google-chart.js, so the call offsite will no longer be an issue. Thanks!

@csteipp Steph has uploaded https://gerrit.wikimedia.org/r/#/c/262586/ as the final commit. Could you review that please? thank you

@csteipp correction, Steph uploaded a new version here https://gerrit.wikimedia.org/r/#/c/262679/ that should contain all files

@Dzahn, the twitter urls there point to http://15.wikipedia.org. Do we have https on that domain?

From https://gerrit.wikimedia.org/r/#/c/262679/, I think 1 thing is needed before it's deployed:

• app.js still references both twitter and 15.wikipedia.org via http, instead of https. Those urls should be updated.

And not security, but masonry.js, chart.js, and bodymovin.js all look like MIT licensed libraries, but their license comments are missing. Someone should check with legal to make sure that's appropriate.

And not security, but masonry.js, chart.js, and bodymovin.js all look like MIT licensed libraries, but their license comments are missing. Someone should check with legal to make sure that's appropriate.

Maybe @Slaporte?

I'll take a look.