Page MenuHomePhabricator

Privacy / CSP script violation on arwiki
Closed, ResolvedPublic

Description

As reported by @Krinkle, MediaWiki:common.js on arwiki is currently loading some external JavaScript on line 14 (tools.wmflabs.org/imagemapedit/ime.js):

https://ar.wikipedia.org/w/index.php?title=%D9%85%D9%8A%D8%AF%D9%8A%D8%A7%D9%88%D9%8A%D9%83%D9%8A:Common.js

While tools.wmflabs.org might not be considered "external" by certain community members, the Security-Team definitely considers it external when it comes to various security and privacy issues. WMF-Legal or Trust-and-Safety should perform an office action here where lines 11 - 18 are deleted and a note left on the talk page and perhaps with a privileged user (Meno25 is a sysop who's recently edited the page.) The Security-Team is happy to help with any of the messaging/boilerplate.

Event Timeline

sbassett created this task.Nov 19 2019, 4:26 PM
Restricted Application added subscribers: alanajjar, Aklapper. · View Herald TranscriptNov 19 2019, 4:26 PM
sbassett triaged this task as High priority.Nov 19 2019, 4:26 PM
sbassett added projects: Security-Team, Privacy.
sbassett moved this task from Backlog / Other to Other WMF team on the Security board.
sbassett moved this task from Incoming to Watching on the Security-Team board.
sbassett updated the task description. (Show Details)
sbassett added subscribers: jrbs, Reedy, JFishback_WMF, chasemp.

should perform an office action here

I'd be surprised if this qualified for an office action. Last time in (ever public) T208177#4703847, we escalated to stewards instead.

sbassett added a subscriber: revi.Nov 19 2019, 6:51 PM
revi added a comment.Nov 19 2019, 6:59 PM

(Contacted Alaa privately: He speaks Arabic and is also S, admin, int-admin @ arwiki.)

(Contacted Alaa privately: He speaks Arabic and is also S, admin, int-admin @ arwiki.)

Thanks @revi

should perform an office action here where lines 11 - 18 are deleted

So, should I delete this lines only (without office action)? Also for documentation, it's added on 1 July 2017.

and a note left on the talk page

If you wrote it in English, I can translate it to Arabic?

On commons, ImageMapEdit on commons

[http://tools.wmflabs.org/imagemapedit/ Image map editor] is code on Toolforge that lets you edit imagemaps of images on commons and generates the wikitext needed by the ImageMap extension.
You add it to your [[Special:MyPage/common.js|common.js]] ([[m:User:Dapete/ImageMapEdit#English|see instructions]]), and then when you view an image on commons an '''ImageMap >''' link appears under it.
See quick guide of what to do next in [[:Category:Clickable maps]].

should perform an office action here where lines 11 - 18 are deleted

So, should I delete this lines only (without office action)?

Done on arwiki, and done on arwikiquote.

alanajjar added a comment.EditedNov 19 2019, 8:17 PM

(tools.wmflabs.org/imagemapedit/ime.js):

Per global search, this loader used also on MediaWiki namespace of:

Also, per here, it's used on around 162 pages.

jrbs added a comment.EditedNov 19 2019, 8:21 PM

should perform an office action here where lines 11 - 18 are deleted

So, should I delete this lines only (without office action)?

Done on arwiki, and done on arwikiquote.

Do you want me to back these up with WMFOffice (with a dummy edit perhaps?) -- see below comment

(tools.wmflabs.org/imagemapedit/ime.js):

Per global search, this loader used also on:

Also, per here, it's used on around 162 pages.

162?! Do we need to remove all of those? @sbassett

jrbs added a comment.Nov 19 2019, 8:26 PM

should perform an office action here

I'd be surprised if this qualified for an office action. Last time in (ever public) T208177#4703847, we escalated to stewards instead.

Indeed the office actions policy doesn't really cover this sort of thing, but I think if we believe the risk to user safety is high enough we should do what we can. In this instance I would probably agree that the Stewards are more than equipped to handle this sort of thing.

sbassett added a comment.EditedNov 19 2019, 8:48 PM

Per global search, this loader used also on:

Also, per here, it's used on around 162 pages.

162?! Do we need to remove all of those? @sbassett

No, those are in the User: namespace, so they're fine. If folks want to actively violate their own privacy, they can, at least until CSP begins to enforce. For the other 4 mentioned by @alanajjar, we'll need to do the same thing we did for the ar projects above for he.wikipedia.org and ps.wikipedia.org, as those are in their MediaWiki:Common.js and will be loaded for all users of those wikis whether they want it to or not. The other two - it.wikiquote.org and it.wikivoyage.org - are gadgets, so we don't need to worry about them for right now.

sbassett added a comment.EditedNov 19 2019, 11:28 PM

I performed a quick audit of tools.wmflabs.org scripts using mwgrep. I found a few more in addition to he.wikipedia.org and ps.wikipedia.org, so I'm going to resolve this task for now since @alanajjar took care of the ones for the ar projects (thanks!) and create a new task for these additional wikis.

Done: T238706

sbassett closed this task as Resolved.Nov 19 2019, 11:28 PM
sbassett claimed this task.
sbassett reassigned this task from sbassett to alanajjar.
sbassett lowered the priority of this task from High to Medium.
sbassett moved this task from Watching to Our Part Is Done on the Security-Team board.
sbassett moved this task from Backlog to Done on the Privacy board.
sbassett moved this task from Other WMF team to Done on the Security board.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Nov 20 2019, 3:28 PM