Page MenuHomePhabricator

Hunt for Toolforge tools that load resources from third party sites
Open, NormalPublic

Description

Enumerating the list of tools at https://tools.wmflabs.org/admin/tools, and using use slimerjs to visit each tool to see where they load resources from, we can get a list of tools that are definitely loading third-party resources without consent.

Quick and dirty source code: P5822 P5823
Initial python output: P5824
More filtered output: P5825 (exclude lines with //wikidata.org/, //www.wikidata.org/, //mediawiki.org/, //www.mediawiki.org/, //phab.wmfusercontent.org/, : ERROR:, : TRACE:, : -> , Unable to load the address)
List of tools: P5826

This task shall track the tasks that ask each tool to load resources from wmf-internal locations (eg. cdnjs, fontcdn, maps.wikimedia.org, etc.), instead of external third-party sites (eg. google, bootstrapcdn, github, cloudflare, openstreetmap, etc.)

Related Objects

StatusAssignedTask
OpenNone
OpenNone
OpenNone
ResolvedKenrick95
ResolvedDanmichaelo
Openprnk28
ResolvedAsh_Crow
ResolvedKrinkle
OpenNone
ResolvedJarry1250
Resolved Addshore
ResolvedSurlycyborg
OpenDarTar
ResolvedYarl
ResolvedBeta16
Resolvedferveo
ResolvedSamtar
ResolvedEmijrp
ResolvedMyst
ResolvedEarwig
OpenTpt
ResolvedFnielsen
OpenNone
Openellery
ResolvedRicordisamoa
OpenA930913
ResolvedRanjithsiji
OpenWikedKentaur
ResolvedEpantaleo
OpenNone
ResolvedFastily
OpenTobi_WMDE_SW
OpenNone
Opendhvanil
Resolvedvalhallasw
OpenFramawiki
Declinedbd808
OpenCyberpower678
OpenSymac
ResolvedNone
ResolvedD3r1ck01
ResolvedSamtar
ResolvedAhecht
ResolvedJackPotte
ResolvedAviator
OpenNone
OpenNone
OpenAnkita-ks
Openjkroll
ResolvedKrinkle
ResolvedTheDJ
Resolved yuvipanda
ResolvedMatthewrbowker
Resolvedjrbs
ResolvedSamwilson
OpenYarl
OpenMusikAnimal
OpenMooeypoo
ResolvedSamtar
OpenNone
OpenPintoch
ResolvedFramawiki
OpenMaxSem
OpenStigmj
ResolvedSlashme
ResolvedIncola
OpenNone
ResolvedKenrick95
ResolvedTgr
ResolvedBenjavalero
ResolvedRicordisamoa
ResolvedFramawiki
OpenNone
ResolvedMmarx
ResolvedPrtksxna
ResolvedArlolra
ResolvedFastily
ResolvedSuperHamster
ResolvedFramawiki
OpenIjon
ResolvedSmalyshev
ResolvedFnielsen
ResolvedFramawiki
OpenNone
OpenRicordisamoa
Resolvedcdrini
ResolvedTarrow
OpenNone
ResolvedRicordisamoa
OpenNone
ResolvedD3r1ck01
OpenNone
Opendhvanil
OpenNone
ResolvedRLuts
ResolvedEmijrp
ResolvedSamwilson
Resolved jmatazzoni
ResolvedSamwalton9
Resolveddbarratt
OpenNone
ResolvedHusky
ResolvedMagnus
ResolvedKolossos
ResolvedLokal_Profil
OpenNone
OpenNone
Resolvedsamuelguebo
ResolvedRagesoss
OpenNone

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
zhuyifei1999 removed zhuyifei1999 as the assignee of this task.Aug 11 2017, 1:47 AM

Done. Special cases from P5825 that I did not create a task:

https://tools.wmflabs.org/cobain/: http://tools.wikimedia.de/%7Echm/style/style.css
https://tools.wmflabs.org/cobain/: https://www.toolserver.org/~chm/style/style.css

^ 404s, and toolserver now routes to wikimedia right?

https://tools.wmflabs.org/file-reuse/: https://lizenzhinweisgenerator.de/
[...]

^ redirects to WMDE site

https://tools.wmflabs.org/intuition/: https://translatewiki.net/w/i.php?title=Special:TranslationStats&graphit=1&count=edits&scale=months&days=250&width=520&height=400&group=tsint-0-all

^ Dunno...

https://tools.wmflabs.org/monumental/: https://fonts.googleapis.com/css?family=Roboto:300,400,500,700&subset=latin,latin-ext
https://tools.wmflabs.org/monumental/: https://fonts.googleapis.com/css?family=Merriweather&subset=cyrillic,cyrillic-ext,latin-ext
https://tools.wmflabs.org/monumental/: https://fonts.gstatic.com/s/roboto/v16/5M21SdFLkD52QavfmHs6cA.ttf
https://tools.wmflabs.org/monumental/: https://fonts.gstatic.com/s/roboto/v16/oOeFwZNlrTefzLYmlVV1UKCWcynf_cDxXwCLxiixG1c.ttf

^ Task already exists as T168786. Added as subtask.

https://tools.wmflabs.org/topviews/: https://wikimedia.org/api/rest_v1/metrics/pageviews/top/en.wikipedia/all-access/2017/06/all-days

^ WMF site, okay

https://tools.wmflabs.org/wikidata-map/: https://query.wikidata.org/sparql?query=PREFIX%20wd%3A%3Chttp%3A%2F%2Fwww.wikidata.org%2Fentity%2F%3E%20PREFIX%20wdt%3A%3Chttp%3A%2F%2Fwww.wikidata.org%2Fprop%2Fdirect%2F%3E%20PREFIX%20wikibase%3A%3Chttp%3A%2F%2Fwikiba.se%2Fontology%23%3E%20PREFIX%20p%3A%3Chttp%3A%2F%2Fwww.wikidata.org%2Fprop%2F%3E%20PREFIX%20rdfs%3A%3Chttp%3A%2F%2Fwww.w3.org%2F2000%2F01%2Frdf-schema%23%3E%20PREFIX%20psv%3A%3Chttp%3A%2F%2Fwww.wikidata.org%2Fprop%2Fstatement%2Fvalue%2F%3E%20%20SELECT%20DISTINCT%20%3Fitem%20%3Fname%20%3Flat%20%3Flon%20WHERE%20%7B%20%3Fitem%20wdt%3AP31%20wd%3AQ33506%20.%20%3Fitem%20p%3AP625%20%3Fcoordinate%20.%20%3Fcoordinate%20psv%3AP625%20%3Fcoordinate_node%20.%20%3Fcoordinate_node%20wikibase%3AgeoLatitude%20%3Flat%20.%20%3Fcoordinate_node%20wikibase%3AgeoLongitude%20%3Flon%20.%20%3Fcoordinate_node%20wikibase%3AgeoGlobe%20wd%3AQ2%20SERVICE%20wikibase%3Alabel%20%7B%20bd%3AserviceParam%20wikibase%3Alanguage%20%22en%22%20.%20%3Fitem%20rdfs%3Alabel%20%3Fname%20%7D%20%7D%20ORDER%20BY%20ASC%20(%3Fname)%20LIMIT%20100000&format=json

^ WMF site, okay.

If I missed anything please tell me.

greg awarded a token.Aug 11 2017, 1:49 AM
Peachey88 moved this task from Backlog to Doing on the Privacy board.Aug 14 2017, 10:02 AM
tom29739 renamed this task from Hunt for Toolforge tools that loads resources from third party sites to Hunt for Toolforge tools that load resources from third party sites.Aug 26 2017, 12:50 AM

@zhuyifei1999

https://tools.wmflabs.org/intuition/: https://translatewiki.net/w/i.php?title=Special:TranslationStats&graphit=1&count=edits&scale=months&days=250&width=520&height=400&group=tsint-0-all

^ Dunno...

Why excluding? TWN is clearly having different Privacy Policy, Terms of Use and licenses than WMF, or are you willing to purchase that site to be under WMF umbrella? Or any reason that can't make a dynamic dump from it rather than directly querying?

@zhuyifei1999

https://tools.wmflabs.org/intuition/: https://translatewiki.net/w/i.php?title=Special:TranslationStats&graphit=1&count=edits&scale=months&days=250&width=520&height=400&group=tsint-0-all

^ Dunno...

Why excluding? TWN is clearly having different Privacy Policy, Terms of Use and licenses than WMF, or are you willing to purchase that site to be under WMF umbrella? Or any reason that can't make a dynamic dump from it rather than directly querying?

I'm still waiting for the proper answers, or I can feel free to create a subtask for this?

or I can feel free to create a subtask for this?

go ahead.

Huji added a subscriber: Huji.Mar 11 2018, 9:11 PM

Is the following considered external resources or are they valid?

tools.wmflabs.org/wikivoyage/w/poimap2.php

The tool doesn't by default lead any external resources, and users are warned about it if they choose external-hosted layers Content with [icon] is hosted externally, so enabling it shares your data with other sites. IMO if a production side links to a layer hosted externally then that would be a problem. See also T186247

http://maps.wikivoyage-ev.org

They should change that to the replica on toolforge, https://tools.wmflabs.org/wikivoyage/w/artmap.php