I also see:

https://platform.twitter.com/jot.html
https://syndication.twitter.com/settings
https://platform.twitter.com/widgets.js
https://platform.twitter.com/widgets/widget_iframe.32d6c6b4cb1ed84df04e7f9705a90c47.html
https://s3.amazonaws.com/downloads.mailchimp.com/js/mc-validate.js

The requests to Twitter that are not gobs of minified js instead set cookies full of hashed data. In addition this site includes all the same WP trackware as described in T201022 and T201422. As @Tbayer mentions it's defensible that WP is not considered a 3rd party because they built the site. But it seems highly likely that user behavior on the blog is being used as ad targeting data by Twitter and maybe Amazon. Someone with better front-end skills can probably dig deeper.

To add one more external item to that list: It also loads https://cdn-images.mailchimp.com/embedcode/classic-081711.css for some "MailChimp Signup Form".

Any news from WMF-Blog-Social-Team ? Where is the source code if this site ?

I wonder if we should put these sites behind a proxy with a CSP header that blocks such things, and also prevents them directly getting visitor's data etc.

Related: T201022: Third party resources loaded by wikimediafoundation.org

As a result of the new site, the blog team is no longer actively using this site. The folks working on Governance Wiki and the new site are preparing to archive this site once the new site finishes soft launch (T193912). My hope is that we can remove anything "extra" like these scripts (unless they are for some reason necessary for site content - I do not believe that is the case - but if I am wrong - that may change things) and many other elements to trim it down in general and recognize its inactive/archival status.

My understanding is the presence of these scripts is partly why that site has its own privacy policy: https://foundation.wikimedia.org/wiki/Wikimedia_blog_privacy_policy

In T201203#4569697, @Framawiki wrote:

Where is the source code if this site ?

Info on source code availability: T95129 (tldr: https://github.com/wikimedia/wikimediablog-wordpresscom)

In T201203#4578135, @Varnent wrote:

My understanding is the presence of these scripts is partly why that site has its own privacy policy: https://foundation.wikimedia.org/wiki/Wikimedia_blog_privacy_policy

To the extent that I am able, I could not find in this policy a statement that would cover the fact that viewing pages on https://blog.wikimedia.org unconditionally establishes a connection to the https://platform.twitter.com origin, and gives this third party your current URL, IP address, and User-Agent information (from which the user's currently viewed article, geo location, and device may be identified).

It'd be great to disable this Twitter script and tighten the Referer policy to origin-when-cross-origin. The Twitter widget has also previously been disabled on our other Automattic-hosted sites.

@Aklapper - Can you elaborate on the title change? As far as I know, the policy you mention was specifically written by Legal for the old blog with consideration for the scripts mentioned in this ticket (from the policy: "We may also use some common technologies, including but not limited to: cookies, local storage, JavaScript, or tracking pixels, including some from third parties, to obtain information that could identify you."). The desire to remove them is more principle and consistency than policy.

@Varnent: See Krinkle's previous comment. While the section of the part that you quoted mentions third parties, it does not mention IP address, user agent information, or geolocation information.

In T201203#5150730, @Aklapper wrote:

@Varnent: See Krinkle's previous comment. While the section of the part that you quoted mentions third parties, it does not mention IP address, user agent information, or geolocation information.

Not to be difficult (I agree that we should remove this for blog.wm.o) but "including but not limited to" seems to cover those.

In T201203#5150730, @Aklapper wrote:

@Varnent: See Krinkle's previous comment. While the section of the part that you quoted mentions third parties, it does not mention IP address, user agent information, or geolocation information.

Gotcha - okay - thank you for the context. My understanding is that information is covered under the "information that could identify you" and "including but not limited to" mentioned in the policy. However, I will check with Legal. As of August 2018, the old blog was seen as being compliant with its custom privacy policy, but perhaps Twitter has changed its behavior.

Either way - to be clear - the plan is still to remove these when the old blog is moved to our servers. Technology is driving that process, I can check on where things are at. If the site is no longer compliant with that policy, it may change their priorities for it.

Thanks everyone. I am sorry if I misunderstood. In any case I'm going to revert the task summary as it's seems not as clear as I interpreted it.

@Aklapper - thank you and no worries! I have reached out to Legal and will let Technology know if there are any changes which may change the priority for this effort. Thank you for bringing it up - I think we all agree keeping the sites compliant is important. :)

As I understand it, this needn't be a matter of legality, it should first be a matter of what we want and need. There are no Twitter widgets on this blog. The script does nothing except to make the page load slower, and to needlessly share information with a third party.

If this site were actively developed and someone decided it was a good idea to have embedded Twitter threads inside a blog post, then perhaps it would be needed to work with Legal (and Security) on understanding the privacy implications, whether its legally allowed, or that we want to lax our policy by allowing it.

But, I don't think this is the case here. Could we ask WP VIP to disable it? We've already done this on other sites, and for similar scripts such as NewRelic. (e.g. T200744 and various other tickets.) If I remember correctly, we even disabled this Twitter script on this particular blog in the past. But, it appears an internal regression at WordPress.com has caused it to pop back up, and they haven't realised it. Hence, this task to ask to disable it, again.

@Krinkle - I am not aware of anyone suggesting we should not do this and the method of how is already planned. I think it is more a question of when. My understanding is that when Technology archives the old blog, they will be removing those scripts.

In T201203#5287805, @Varnent wrote:

I think it is more a question of when. My understanding is that when Technology archives the old blog, they will be removing those scripts.

Assuming "when Technology archives the old blog" refers to T193912, that task has no WMF Engineering teams tagged or assigned, and only WMF Communication teams on it. Does not seem really obvious where the expectation comes from that "Technology" (not sure what that means) will archive the old blog. Just saying...

In T201203#5850818, @Aklapper wrote:

In T201203#5287805, @Varnent wrote:

I think it is more a question of when. My understanding is that when Technology archives the old blog, they will be removing those scripts.

Assuming "when Technology archives the old blog" refers to T193912, that task has no WMF Engineering teams tagged or assigned, and only WMF Communication teams on it. Does not seem really obvious where the expectation comes from that "Technology" (not sure what that means) will archive the old blog. Just saying...

Our conversations with Technology department leadership were in meetings and via email. I do not know which team they wanted to have work on it, and so I felt it would be inappropriate for me to simply assign one. The folks I spoke with are aware of the Phabricator ticket, and any notes to add would come from them. I cannot speak to why they did not add to that ticket, you would need to talk with folks in Technology about that. :)