|Resolved||• srodlund||T242619 Set up Tech blog to share stories from the Wikimedia Technical community|
|Resolved||bd808||T248130 Add CSP header to techblog.wikimedia.org to block 3rd party assets|
|Resolved||bd808||T248869 techblog.wikimedia.org should not connect to googleapis.com or gstatic.com|
|Resolved||bd808||T247569 Investigate 3rd party assets loaded by techblog|
I dug around a bit to figure out where various requests were coming from. Here's what I found so far:
- At https://techblog-wikimedia-org.go-vip.net/wp-admin/admin.php?page=jetpack_modules the toggle to turn this off says "This module is required for WordPress.com VIP"
- https://wikimediafoundation.org/ seems to use piwik.wikimedia.org instead however, so there must be a way
- Should go away if we get the jetpack js above disabled
- fonts.googleapis.com & fonts.gstatic.com
- Font stack loaded by the 'modern' theme we are using
- The theme provides three filter hooks which allow tweaking the font stack, but ultimately it always constructs a fonts.googleapis.com URL with them.
- Theme does have a "use custom fonts" setting which says it will disable the built-in font stack of the theme. We would instead need to install another (probably custom) WP font plugin.
This is going to take a bit more work. First we need to find out from wpvip host to disable the thing they disabled the admin ui for. Then we need to look into piwik integration to get some basic traffic stats.
Rather than proxying traffic through the Toolforge CDN tool, I decided to make a really tiny WordPress extension to host the desired fonts directly with techblog. Testing also showed that the Modern theme still loaded the css for the remote fonts even when configured to use a custom font cdn. I added a small amount of additional code in the plugin to filter out that css if it is injected into the renderer layer.
In addition to the assets noticed by @Aklapper which were loading on all pages, some pages also show loads of New Relic performance tracking assets:
I'm now wondering about adding a Content-Security-Policy header for the site that will block other things from accidentally creeping in via an allow list approach. I will do a bit of research to see how easy/hard CSP headers are to add in WP.
@bd808: Thanks for all your work. Only thing left to mention is that comments below a specific blogpost try to pull the avatar image of that comment author from secure.gravatar.com (quite common). Data collected by Gravatar can be used for advertisement.
A less popular alternative could be Libravatar. Or no avatars. Or ignoring this. :P