Maniphest T201422

Wikimedia Foundation website includes Wordpress tracking pixel
Open, HighPublic
Actions

Description

Anyone who uses the new website as an entry point to our other projects is being tracked by this service. The request to pixel.wp.com is made even when the Do Not Track header is sent. This domain is in the default block list for popular ad blockers.

I am adding fundraising-backlog because this issue is of extra importance to people who might click the "donate" link on the new site.

Edited to be less speculative

Related Objects
Search...

		Status	Assigned	Task
		Open	None	T201022 Third party resources loaded by wikimediafoundation.org
		Open	None	T201422 Wikimedia Foundation website includes Wordpress tracking pixel

cwdent created this task.Aug 7 2018, 3:12 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 7 2018, 3:12 PM

jgleeson added a subscriber: jgleeson.Aug 7 2018, 3:16 PM

Reedy added a project: Privacy.Aug 7 2018, 4:04 PM

cwdent updated the task description. (Show Details)Aug 7 2018, 5:32 PM

DStrine moved this task from Analysis to Blocked & not fr-tech on the Fundraising-Backlog board.Aug 7 2018, 8:23 PM

Varnent moved this task from Incoming to July 2018 soft launch on the wikimediafoundation.org board.Aug 8 2018, 9:47 PM

Reedy updated the task description. (Show Details)Aug 9 2018, 12:38 AM

Reedy updated the task description. (Show Details)

TheDJ added a subscriber: TheDJ.Aug 10 2018, 1:40 PM

Yair_rand awarded a token.Aug 14 2018, 7:57 PM

Yair_rand added a subscriber: Yair_rand.

Mholloway added a subscriber: Mholloway.Aug 17 2018, 3:46 AM

EdErhart-WMF added a subscriber: EdErhart-WMF.Aug 20 2018, 9:48 PM

Chicocvenancio awarded a token.Aug 22 2018, 2:22 PM

It looks like there is tracking of all navigation to external sites with this. For example, when I clicked on "Donate Now", the following request was sent:
https://pixel.wp.com/c.gif?s=2&u=https%3A%2F%2Fdonate.wikimedia.org%2F&r=&b=147851870&p=10&rand=0.17689332155574422

This happened despite Do Not Track being enabled (this confirms the behaviour described in the task description).

Setting as high to match T201022: Third party resources loaded by wikimediafoundation.org

Note that wp.com is not a third party here (except in a purely technical sense like commons.wikimedia.org is for en.wikipedia.org), it's hosted by the same entity as the main domain wikimediafoundation.org. See T201022#4544867

cwdent mentioned this in T201203: blog.wikimedia.org loads external scripts.Sep 5 2018, 3:54 PM

Framawiki added a parent task: T201022: Third party resources loaded by wikimediafoundation.org.Sep 12 2018, 6:36 PM

Framawiki added a subscriber: Framawiki.

Framawiki added a subscriber: Security-Team.

Dzahn awarded a token.Sep 12 2018, 11:13 PM

These scripts have been disabled while we investigate them further.

Any updates about this?