Page MenuHomePhabricator
Create Task
Maniphest T201022

Third party resources loaded by wikimediafoundation.org
Closed, ResolvedPublic
Actions

Assigned To
Varnent
Authored By
Nemo_bis
Aug 2 2018, 4:38 PM
Tags
Referenced Files
F25530910: Privacy Badger wikimediafoundation.org 2018-08-30.png
Aug 30 2018, 10:27 PM
F25530656: Screenshot from 2018-08-30 23-41-20.png
Aug 30 2018, 9:43 PM
Subscribers
Addshore
Aklapper
Bawolff
Bugreporter
Chicocvenancio
dbarratt
EdErhart-WMF
View All 19 Subscribers
Tokens
"Heartbreak" token, awarded by Liuxinyu970226."Heartbreak" token, awarded by Addshore."Heartbreak" token, awarded by Aklapper."Heartbreak" token, awarded by Chicocvenancio."Evil Spooky Haunted Tree" token, awarded by Tbayer."Heartbreak" token, awarded by BethNaught.

Description

https://wikimediafoundation.org/technology/ attempts to load resources from wp.com, googleapis.com and gravatar.com.

Related Objects
Search...

Event Timeline

Nemo_bis created this task.Aug 2 2018, 4:38 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 2 2018, 4:38 PM
Aklapper added a project: Privacy.Aug 2 2018, 5:27 PM
Bugreporter merged a task: T201049: Do not use third-party resource in wikimediafoundation.org.Aug 2 2018, 5:29 PM
Bugreporter subscribed.
Bawolff subscribed.Aug 2 2018, 5:46 PM

https://wikimediafoundation.org/technology/ attempts to load resources from wp.com, googleapis.com and gravatar.com.

Not just external resources, but javascript resources.

It should also be noted that the load of piwik.wikimedia.org is loading third party cookies not mentioned on wikimedia cookie statement which seems to be violation of non-wiki privacy policy (Its a "third party" cookie in the definition browsers use, as a cookie from a different origin, not that its actually from a third party)

Dzahn subscribed.Aug 2 2018, 6:30 PM

Please remove gravatar. We have removed it in the past from multiple places always for the same reasons, such as gitblit, grafana.

I think loading external javascript in general should be a High prio issue. We went through removing this for all the microsites as part of the security reviews they got.

Varnent moved this task from Incoming to Maintenance on the wikimediafoundation.org board.Aug 3 2018, 3:40 PM
BethNaught awarded a token.Aug 3 2018, 4:21 PM
MusikAnimal subscribed.Aug 3 2018, 5:39 PM
Tbayer awarded a token.Aug 3 2018, 6:13 PM
Tbayer subscribed.
dbarratt subscribed.Aug 6 2018, 3:33 AM
Chicocvenancio awarded a token.Aug 6 2018, 4:00 PM
Chicocvenancio subscribed.
Reedy mentioned this in T201422: Wikimedia Foundation website includes Wordpress tracking pixel.Aug 9 2018, 12:38 AM
zhuyifei1999 subscribed.Aug 10 2018, 5:38 AM
TheDJ subscribed.Aug 10 2018, 1:41 PM
Mholloway subscribed.Aug 17 2018, 3:47 AM
EdErhart-WMF subscribed.Aug 20 2018, 9:48 PM
Legoktm triaged this task as High priority.Aug 30 2018, 7:32 AM
Legoktm subscribed.

Setting high priority per T201022#4473788 and T201022#4473521

kaldari subscribed.Aug 30 2018, 7:32 AM
Aklapper awarded a token.Aug 30 2018, 9:41 AM
Addshore awarded a token.Aug 30 2018, 10:12 AM
Addshore subscribed.Aug 30 2018, 10:14 AM

Did this site actually go through a security review of any kind?
I guess no, as as far as I can tell from T201572 it was developed externally and the code isn't open..

Tbayer added a subscriber: Varnent.Aug 30 2018, 10:20 AM

I agree that the Gravatar and Google resources are problematic privacy-wise and should be removed or replaced. But it also needs to be pointed out that wp.com is not a third party here - it's hosted by Automattic, like the main site wikimediafoundation.org, so loading that resource doesn't expose the visitor's IP to any additional parties. That's the same situation as on blog.wikimedia.org. When the blog was moved to Automattic's servers in 2014, particular attention was given to privacy aspects - to quote from the announcement at https://blog.wikimedia.org/2014/07/31/introducing-the-new-blog/ : "We [...] concluded that it made sense to work with a third-party host, Automattic, that has particular expertise in this area and understands our needs and values, including a commitment to free software. They have been a strong partner, working to meet our privacy standards, disabling some of their standard analytics tools and clarifying how they handle certain information. They have also altered their WordPress VIP Terms of Service to accommodate Creative Commons licenses." (Again, this is from 2014 and refers to blog.wikimedia.org - @Varnent is the expert on the current arrangements for wikimediafoundation.org.)

Bawolff added a comment.EditedAug 30 2018, 11:09 AM
In T201022#4544867, @Tbayer wrote:

I agree that the Gravatar and Google resources are problematic privacy-wise and should be removed or replaced. But it also needs to be pointed out that wp.com is not a third party here - it's hosted by Automattic, like the main site wikimediafoundation.org, so loading that resource doesn't expose the visitor's IP to any additional parties.

Minor point - Even if s0.wp.com is hosted by the same people as wikimediafoundation.org, loading resources from a shared domain like that does in theory provide some opportunities for correlating access to other domains that load s0.wp.com, beyond what can be done simply by recording IP addresses. So in principle, it could allow a wordpress to track if users visit other sites hosted by automattic even if the user's IP changes (e.g. Via third party cookies, however it should be noted that no cookies or set on that request, or perhaps more exotic tracking techniques like keeping track of TLS session resumption tickets). I should emphasize that it is extremely unlikely that they are doing this.

Tbayer added a comment.Aug 30 2018, 9:33 PM

FWIW, it seems that Gravatar and Google resources are no longer loaded on wikimediafoundation.org. @Legoktm, can you confirm (as someone who appears to have checked this task's assertions yesterday)?

Aklapper added a comment.Aug 30 2018, 9:43 PM

@Tbayer: Correct:

Screenshot from 2018-08-30 23-41-20.png (295×563 px, 39 KB)

kaldari added a comment.Aug 30 2018, 9:48 PM

It's also loading a tracking pixel from WordPress: https://pixel.wp.com/g.gif (which for some reason doesn't show up in Aklapper's output above.

Tbayer added a comment.Aug 30 2018, 10:27 PM
In T201022#4546999, @kaldari wrote:

It's also loading a tracking pixel from WordPress: https://pixel.wp.com/g.gif (which for some reason doesn't show up in Aklapper's output above.

FWIW, Privacy Badger doesn't seem to consider this and the other wp.com resources as tracking:

Privacy Badger wikimediafoundation.org 2018-08-30.png (390×425 px, 28 KB)

(I would still agree that they are a privacy concern if they were third party, but as discussed above, they are not.)

kaldari added a comment.Aug 31 2018, 12:10 AM

I would still agree that they are a privacy concern if they were third party, but as discussed above, they are not.

Got it. Even though they're not "3rd party" I still think we should remove them unless they are strictly necessary so that there's no confusion or uncertainty about it (especially with the community).

Liuxinyu970226 awarded a token.Sep 2 2018, 11:04 PM
Liuxinyu970226 subscribed.
cwdent mentioned this in T201203: blog.wikimedia.org loads external scripts.Sep 5 2018, 3:54 PM
Framawiki added subscribers: Security-Team, Framawiki.Sep 12 2018, 6:36 PM

Related: T201203: blog.wikimedia.org loads external scripts

Framawiki added a subtask: T201422: Wikimedia Foundation website includes Wordpress tracking pixel.Sep 12 2018, 6:37 PM
Yair_rand subscribed.Sep 12 2018, 6:41 PM
Varnent added a comment.Sep 21 2018, 9:34 PM

These scripts have been disabled while we investigate them further.

Ladsgroup mentioned this in T222089: Allow URL shortening for wikimediafoundation.org domain.Apr 30 2019, 4:25 AM
Aklapper added a comment.Apr 30 2019, 9:20 AM

@Varnent: What exactly is "investigated further"? What's left to do in this task? Is this open task still high priority?

Dzahn unsubscribed.Apr 30 2019, 9:30 PM
Varnent lowered the priority of this task from High to Medium.EditedApr 30 2019, 10:43 PM
In T201022#5146228, @Aklapper wrote:

@Varnent: What exactly is "investigated further"? What's left to do in this task? Is this open task still high priority?

@Aklapper - Not high priority - essentially we wanted to see what impact removing them would have on the existing design and design changes in progress. However, those are far enough long now I am reasonably confident we have the info we were looking for.

We could close the ticket now, or wait until design changes go live (in the next month or so) and close it then. I am fine either way.

Varnent closed this task as Resolved.Jul 11 2019, 11:43 PM
Varnent claimed this task.
Varnent closed subtask T201422: Wikimedia Foundation website includes Wordpress tracking pixel as Resolved.

Hello - I believe this ticket has been resolved with the updated design we released this week - which I invite you to checkout at: https://wikimediafoundation.org/
I am closing the ticket, but please let me know if it is not resolved on your end. Thank you!

Bawolff mentioned this in T233386: WikimediaFoundation.org participating in Global Climate Strike.Sep 20 2019, 4:08 AM
sbassett moved this task from Intake to Done on the Privacy board.Oct 16 2019, 5:46 PM
Aklapper removed a subscriber: Security-Team.Jun 29 2023, 2:25 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits