Page MenuHomePhabricator

blog.wikimedia.org loads external scripts
Open, HighPublic

Description

https://blog.wikimedia.org/ asks for my browser to load an external script, https://syndication.twitter.com/i/jot
What does this script do ? Is it really needed ? Useful ? Privacy compliant ?

Event Timeline

Framawiki created this task.Aug 3 2018, 8:06 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 3 2018, 8:06 PM
Framawiki updated the task description. (Show Details)Aug 3 2018, 8:07 PM

I also see:

https://platform.twitter.com/jot.html
https://syndication.twitter.com/settings
https://platform.twitter.com/widgets.js
https://platform.twitter.com/widgets/widget_iframe.32d6c6b4cb1ed84df04e7f9705a90c47.html
https://s3.amazonaws.com/downloads.mailchimp.com/js/mc-validate.js

The requests to Twitter that are not gobs of minified js instead set cookies full of hashed data. In addition this site includes all the same WP trackware as described in T201022 and T201422. As @Tbayer mentions it's defensible that WP is not considered a 3rd party because they built the site. But it seems highly likely that user behavior on the blog is being used as ad targeting data by Twitter and maybe Amazon. Someone with better front-end skills can probably dig deeper.

To add one more external item to that list: It also loads https://cdn-images.mailchimp.com/embedcode/classic-081711.css for some "MailChimp Signup Form".

Any news from WMF-Blog-Social-Team ? Where is the source code if this site ?

chasemp triaged this task as High priority.Sep 10 2018, 2:38 PM
chasemp added a subscriber: Security-Team.
greg added a subscriber: greg.Sep 10 2018, 3:18 PM
Krenair added a subscriber: Krenair.EditedSep 10 2018, 3:48 PM

I wonder if we should put these sites behind a proxy with a CSP header that blocks such things, and also prevents them directly getting visitor's data etc.

Framawiki renamed this task from blog.wikimedia.org loads twitter scripts to blog.wikimedia.org loads external scripts.Sep 12 2018, 6:24 PM

As a result of the new site, the blog team is no longer actively using this site. The folks working on Governance Wiki and the new site are preparing to archive this site once the new site finishes soft launch (T193912). My hope is that we can remove anything "extra" like these scripts (unless they are for some reason necessary for site content - I do not believe that is the case - but if I am wrong - that may change things) and many other elements to trim it down in general and recognize its inactive/archival status.

My understanding is the presence of these scripts is partly why that site has its own privacy policy: https://foundation.wikimedia.org/wiki/Wikimedia_blog_privacy_policy

Where is the source code if this site ?

Info on source code availability: T95129 (tldr: https://github.com/wikimedia/wikimediablog-wordpresscom)

My understanding is the presence of these scripts is partly why that site has its own privacy policy: https://foundation.wikimedia.org/wiki/Wikimedia_blog_privacy_policy

To the extent that I am able, I could not find in this policy a statement that would cover the fact that viewing pages on https://blog.wikimedia.org unconditionally establishes a connection to the https://platform.twitter.com origin, and gives this third party your current URL, IP address, and User-Agent information (from which the user's currently viewed article, geo location, and device may be identified).

It'd be great to disable this Twitter script and tighten the Referer policy to origin-when-cross-origin. The Twitter widget has also previously been disabled on our other Automattic-hosted sites.

greg removed a subscriber: greg.Jan 27 2019, 6:45 AM
Aklapper renamed this task from blog.wikimedia.org loads external scripts to blog.wikimedia.org loads external scripts and violates [[foundation:Wikimedia_blog_privacy_policy]].May 1 2019, 2:35 PM
Varnent added a comment.EditedMay 1 2019, 6:11 PM

@Aklapper - Can you elaborate on the title change? As far as I know, the policy you mention was specifically written by Legal for the old blog with consideration for the scripts mentioned in this ticket (from the policy: "We may also use some common technologies, including but not limited to: cookies, local storage, JavaScript, or tracking pixels, including some from third parties, to obtain information that could identify you."). The desire to remove them is more principle and consistency than policy.

@Varnent: See Krinkle's previous comment. While the section of the part that you quoted mentions third parties, it does not mention IP address, user agent information, or geolocation information.

jrbs added a subscriber: jrbs.May 1 2019, 6:36 PM

@Varnent: See Krinkle's previous comment. While the section of the part that you quoted mentions third parties, it does not mention IP address, user agent information, or geolocation information.

Not to be difficult (I agree that we should remove this for blog.wm.o) but "including but not limited to" seems to cover those.

Varnent added a comment.EditedMay 1 2019, 6:37 PM

@Varnent: See Krinkle's previous comment. While the section of the part that you quoted mentions third parties, it does not mention IP address, user agent information, or geolocation information.

Gotcha - okay - thank you for the context. My understanding is that information is covered under the "information that could identify you" and "including but not limited to" mentioned in the policy. However, I will check with Legal. As of August 2018, the old blog was seen as being compliant with its custom privacy policy, but perhaps Twitter has changed its behavior.

Either way - to be clear - the plan is still to remove these when the old blog is moved to our servers. Technology is driving that process, I can check on where things are at. If the site is no longer compliant with that policy, it may change their priorities for it.

Thanks everyone. I am sorry if I misunderstood. In any case I'm going to revert the task summary as it's seems not as clear as I interpreted it.

Aklapper renamed this task from blog.wikimedia.org loads external scripts and violates [[foundation:Wikimedia_blog_privacy_policy]] to blog.wikimedia.org loads external scripts.May 1 2019, 6:42 PM

@Aklapper - thank you and no worries! I have reached out to Legal and will let Technology know if there are any changes which may change the priority for this effort. Thank you for bringing it up - I think we all agree keeping the sites compliant is important. :)

As I understand it, this needn't be a matter of legality, it should first be a matter of what we want and need. There are no Twitter widgets on this blog. The script does nothing except to make the page load slower, and to needlessly share information with a third party.

If this site were actively developed and someone decided it was a good idea to have embedded Twitter threads inside a blog post, then perhaps it would be needed to work with Legal (and Security) on understanding the privacy implications, whether its legally allowed, or that we want to lax our policy by allowing it.

But, I don't think this is the case here. Could we ask WP VIP to disable it? We've already done this on other sites, and for similar scripts such as NewRelic. (e.g. T200744 and various other tickets.) If I remember correctly, we even disabled this Twitter script on this particular blog in the past. But, it appears an internal regression at WordPress.com has caused it to pop back up, and they haven't realised it. Hence, this task to ask to disable it, again.

@Krinkle - I am not aware of anyone suggesting we should not do this and the method of how is already planned. I think it is more a question of when. My understanding is that when Technology archives the old blog, they will be removing those scripts.