While loading monumental I noticed some things being loaded from fonts.googleapis.com in https://tools.wmflabs.org/monumental/assets/bundle.min.js?v=17.05.02 . I'm pretty sure the Toollabs/WMF privacy policy doesn't allow that. I've been digging through the documentation and can't find the actual page explaining it. I'm pretty sure somewhere in Toollabs we have a place to host the standard static javascript / css things so you can use them without violating any privacy policies.
Description
Description
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Open | None | T133919 [EPIC] Protect end-user privacy by restricting non-consensual third-party browser interactions | |||
Open | None | T130748 Add Content-Security-Policy header enforcing 3rd party web interaction restrictions to proxy responses | |||
Open | None | T172065 Hunt for Toolforge tools that load resources from third party sites | |||
Resolved | Yarl | T168786 Monumental imports css from fonts.googleapis.com |
Event Timeline
Comment Actions
FWIW, a reverse proxy to fonts.googleapis.com is/was being worked on in T110027: Create a fonts CDN for use on Tool Labs, but currently stuck in code review.