Page MenuHomePhabricator

Third party resources loaded by wikimediafoundation.org
Closed, ResolvedPublic

Tokens
"Heartbreak" token, awarded by Liuxinyu970226."Heartbreak" token, awarded by Addshore."Heartbreak" token, awarded by Aklapper."Heartbreak" token, awarded by Chicocvenancio."Evil Spooky Haunted Tree" token, awarded by Tbayer."Heartbreak" token, awarded by BethNaught.
Assigned To
Authored By
Nemo_bis, Aug 2 2018

Description

https://wikimediafoundation.org/technology/ attempts to load resources from wp.com, googleapis.com and gravatar.com.

Event Timeline

Nemo_bis created this task.Aug 2 2018, 4:38 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 2 2018, 4:38 PM
Bawolff added a subscriber: Bawolff.Aug 2 2018, 5:46 PM

https://wikimediafoundation.org/technology/ attempts to load resources from wp.com, googleapis.com and gravatar.com.

Not just external resources, but javascript resources.

It should also be noted that the load of piwik.wikimedia.org is loading third party cookies not mentioned on wikimedia cookie statement which seems to be violation of non-wiki privacy policy (Its a "third party" cookie in the definition browsers use, as a cookie from a different origin, not that its actually from a third party)

Dzahn added a subscriber: Dzahn.Aug 2 2018, 6:30 PM

Please remove gravatar. We have removed it in the past from multiple places always for the same reasons, such as gitblit, grafana.

I think loading external javascript in general should be a High prio issue. We went through removing this for all the microsites as part of the security reviews they got.

Tbayer added a subscriber: Tbayer.
TheDJ added a subscriber: TheDJ.Aug 10 2018, 1:41 PM
Legoktm triaged this task as High priority.Aug 30 2018, 7:32 AM
Legoktm added a subscriber: Legoktm.

Setting high priority per T201022#4473788 and T201022#4473521

Did this site actually go through a security review of any kind?
I guess no, as as far as I can tell from T201572 it was developed externally and the code isn't open..

I agree that the Gravatar and Google resources are problematic privacy-wise and should be removed or replaced. But it also needs to be pointed out that wp.com is not a third party here - it's hosted by Automattic, like the main site wikimediafoundation.org, so loading that resource doesn't expose the visitor's IP to any additional parties. That's the same situation as on blog.wikimedia.org. When the blog was moved to Automattic's servers in 2014, particular attention was given to privacy aspects - to quote from the announcement at https://blog.wikimedia.org/2014/07/31/introducing-the-new-blog/ : "We [...] concluded that it made sense to work with a third-party host, Automattic, that has particular expertise in this area and understands our needs and values, including a commitment to free software. They have been a strong partner, working to meet our privacy standards, disabling some of their standard analytics tools and clarifying how they handle certain information. They have also altered their WordPress VIP Terms of Service to accommodate Creative Commons licenses." (Again, this is from 2014 and refers to blog.wikimedia.org - @Varnent is the expert on the current arrangements for wikimediafoundation.org.)

Bawolff added a comment.EditedAug 30 2018, 11:09 AM

I agree that the Gravatar and Google resources are problematic privacy-wise and should be removed or replaced. But it also needs to be pointed out that wp.com is not a third party here - it's hosted by Automattic, like the main site wikimediafoundation.org, so loading that resource doesn't expose the visitor's IP to any additional parties.

Minor point - Even if s0.wp.com is hosted by the same people as wikimediafoundation.org, loading resources from a shared domain like that does in theory provide some opportunities for correlating access to other domains that load s0.wp.com, beyond what can be done simply by recording IP addresses. So in principle, it could allow a wordpress to track if users visit other sites hosted by automattic even if the user's IP changes (e.g. Via third party cookies, however it should be noted that no cookies or set on that request, or perhaps more exotic tracking techniques like keeping track of TLS session resumption tickets). I should emphasize that it is extremely unlikely that they are doing this.

FWIW, it seems that Gravatar and Google resources are no longer loaded on wikimediafoundation.org. @Legoktm, can you confirm (as someone who appears to have checked this task's assertions yesterday)?

It's also loading a tracking pixel from WordPress: https://pixel.wp.com/g.gif (which for some reason doesn't show up in Aklapper's output above.

It's also loading a tracking pixel from WordPress: https://pixel.wp.com/g.gif (which for some reason doesn't show up in Aklapper's output above.

FWIW, Privacy Badger doesn't seem to consider this and the other wp.com resources as tracking:


(I would still agree that they are a privacy concern if they were third party, but as discussed above, they are not.)

I would still agree that they are a privacy concern if they were third party, but as discussed above, they are not.

Got it. Even though they're not "3rd party" I still think we should remove them unless they are strictly necessary so that there's no confusion or uncertainty about it (especially with the community).

These scripts have been disabled while we investigate them further.

@Varnent: What exactly is "investigated further"? What's left to do in this task? Is this open task still high priority?

Dzahn removed a subscriber: Dzahn.Apr 30 2019, 9:30 PM
Varnent lowered the priority of this task from High to Normal.EditedApr 30 2019, 10:43 PM

@Varnent: What exactly is "investigated further"? What's left to do in this task? Is this open task still high priority?

@Aklapper - Not high priority - essentially we wanted to see what impact removing them would have on the existing design and design changes in progress. However, those are far enough long now I am reasonably confident we have the info we were looking for.

We could close the ticket now, or wait until design changes go live (in the next month or so) and close it then. I am fine either way.

Varnent closed this task as Resolved.Jul 11 2019, 11:43 PM
Varnent claimed this task.

Hello - I believe this ticket has been resolved with the updated design we released this week - which I invite you to checkout at: https://wikimediafoundation.org/
I am closing the ticket, but please let me know if it is not resolved on your end. Thank you!