Page MenuHomePhabricator

AddThis gadgets are a violation of the privacy policy
Open, NormalPublic

Description

They send user information to a third party site (addthis.com).

Some have been removed, e.g.
https://kk.wikipedia.org/w/index.php?title=%D0%9C%D0%B5%D0%B4%D0%B8%D0%B0%D0%A3%D0%B8%D0%BA%D0%B8:Gadgets-definition&diff=2553369&oldid=2553242

Others remain:

$ mwgrep addthis.com
arwiki              MediaWiki:Gadget-Sharebox.js
avwiki              MediaWiki:Gadget-addThisMain.js
cewiki              MediaWiki:Gadget-addThisArticles.js
cewiki              MediaWiki:Gadget-addThisMain.js
hewikivoyage        MediaWiki:Gadget-Sharebox.js
pswiki              MediaWiki:Gadget-sharebox.js
ruwiki              MediaWiki:Gadget-addThisArticles.js
ruwiki              MediaWiki:Gadget-addThisMain.js
ruwikisource        MediaWiki:Gadget-addThisArticles.js
tgwiki              MediaWiki:Gadget-addThisArticles.js
tgwiki              MediaWiki:Gadget-addThisMain.js
udmwiki             MediaWiki:Gadget-addThisArticles.js
urwiki              MediaWiki:Gadget-sharebox.js

I would imagine these will start breaking once the CSP is enabled (T28508).

Related Objects

Event Timeline

Esanders created this task.Aug 8 2019, 12:06 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 8 2019, 12:06 PM
Esanders updated the task description. (Show Details)Aug 8 2019, 12:10 PM

Removing MediaWiki-extensions-Gadgets as this is not about the PHP extension with that name.

sbassett triaged this task as Normal priority.Aug 8 2019, 1:42 PM
sbassett added a subscriber: JFishback_WMF.

Are gadgets expected to fall under the standard Wikimedia privacy policy? I'm not seeing any specific privacy policy just for them, nor am I seeing any exceptional language for them within the standard privacy policy. Though gadgets are fairly similar to user scripts, which often call external resources, and which will indeed break once CSP is set to enforce (whenever that may be.)

Hmm, I had heard about those, but assumed they were properly setup for privacy. Sigh.
@TheDJ a while ago you working on a related script for this, which would obviously (!) have respected privacy. Maybe you could help advise on a replacement, for these other wikis?

Are gadgets expected to fall under the standard Wikimedia privacy policy? I'm not seeing any specific privacy policy just for them, nor am I seeing any exceptional language for them within the standard privacy policy.

Gadgets are executed in the context of a user's session with all the privileges that implies, I would expect it would fall within the same privacy policy as any MediaWiki-and-extensions-provided JavaScript.

Are gadgets expected to fall under the standard Wikimedia privacy policy? I'm not seeing any specific privacy policy just for them, nor am I seeing any exceptional language for them within the standard privacy policy. Though gadgets are fairly similar to user scripts, which often call external resources, and which will indeed break once CSP is set to enforce (whenever that may be.)

Not on secteam anymore, but just to give some historical context about how this sort of thing used to be treated- traditionally this sort of thing was considered a big no no if the gadget was default enabled or didnt disclose what was going on. If the gadget informed the user that information was going to a third party and the user had to opt in to use it (as is the case on ru wikipedia, although i didnt check the others) this was considered a grey area. Afaik this was never officially blessed as being ok, but de-facto was considered ok, or at least we turned a blind eye to it.

As for csp - this sort of usecase was one of the reasons why it was planned to allow users to add things to their allow list - to be able to use gadgets to create mash ups from other sites (although there was some debate whether to include scripts in user control allow list). Anyhow im not working on this anymore so up to whomever takes it over for what actually happens, just wanted to provide some background on the thinking at the time

TheDJ added a comment.Aug 9 2019, 6:58 AM

I used to have a sharebox.js userscript yes, and it showed a disclaimer on its documentation page..
https://web.archive.org/web/20190410075542/https://en.wikipedia.org/wiki/User:TheDJ/Sharebox

it has been deleted for years however.
Something like
https://en.wikipedia.org/wiki/Wikipedia:Wikipedia_Signpost/Templates/Signpost-article-header-v2
That is a much less privacy invasive approach (but also has less features).

stjn added a subscriber: stjn.Aug 9 2019, 12:01 PM

If the gadget informed the user that information was going to a third party and the user had to opt in to use it (as is the case on ru wikipedia, although i didnt check the others) this was considered a grey area. Afaik this was never officially blessed as being ok, but de-facto was considered ok, or at least we turned a blind eye to it.

I added the warnings in 2017 for both gadgets (addThisArticles, addThisMain) because I considered them problematic, but couldn’t outright remove them since like 1,000 users had them enabled. We had a plan to provide an alternative with privacy in mind, but no one had time to write new scripts. I’m pretty sure other wikis with gadgets in the same name don’t have those warnings, unless the gadgets were imported from Russian Wikipedia after 2017.