Page MenuHomePhabricator

Use OAuth for
Open, Needs TriagePublic


Converting the tool to use OAuth would:

  • Eliminate the need for the use of reCaptcha which is an end-user privacy concern if not a Tool Labs Terms of Use/Privacy Policy violation.
    • The privacy concern here is that a WMF hosted web page is automatically including 3rd party assets (in this case an iframe).
  • Eliminate passing password data into the Tool Labs environment which is a general security concern (POSTed password data can not be guaranteed to be secure in the Tool Labs environment).
  • Eliminate local account creation without required end-user notice.

Event Timeline

Restricted Application added subscribers: Zppix, Aklapper. · View Herald TranscriptMay 15 2016, 4:22 AM

The required 'account creation' notice isn't there, and it's using reCaptcha so loading content from other sites without use consent, so all of this is a Tool Labs Terms of Use/Privacy Policy violation.