Page MenuHomePhabricator

Fix (non-default) gadgets loading executable JavaScript from third-party URLs
Open, MediumPublic

Event Timeline

JFishback_WMF moved this task from Incoming to Backlog on the Privacy Engineering board.

Hello @Aklapper,

I would be grateful if you clarify what you are requesting/ expecting. Are you suggesting that those gadgets be taken down or that their authors be required to draft an on-wiki heads-up, for instance on the widget's talk page? Or is it totally something else you're asking for?

@sguebo_WMF: I am fine with any suggestion and action which will lead to our users' PII not leaked to third parties without a warning to our users. See also T65598 or T230124

Hello @Aklapper ,

The Foundation’s Privacy Policy mentions the commitment of “never selling [user] information or sharing it with third parties for marketing purposes” and “[...]only sharing [user ]information in limited circumstances, such as to improve the Wikimedia Sites, to comply with the law, or to protect you and others.” In principle, gadgets that share user information with third parties do so in violation of this policy. However, it is worth noting that some of these scripts are used by thousands of contributors. Therefore, I think there should be a short-term and a long-term approach to tackling this issue.

I think that, for all those widgets that were brought to our attention, a short-term solution would be to require from their authors that they disclose clearly the fact that user information is shared with external parties. For default widgets, a way to do so is currently being examined by Legal (See T65598#7029167). As for non-default widgets, a notice could be added on-wiki as some widgets authors have done in the past.

As for the longer term, the privacy policy could be enforced through technical controls, such Content-Security-Policy. If necessary, the policy could be expanded/clarified for widgets specifically, under the guidance of WMF-Legal.

For now I am willing to contact the widget authors and ask them to put a heads-up on-wiki.
I just sent a few pings:

Thanks for the ping. I have added a sentence to reflect the concern on the gadget description for zhwikinews where I am a sysop.

Indeed, @Xiplus , do you find it feasible if we move your script to the wiki so that the concern could be eliminated?

@Waihorace None of the scripts listed above were made by me. For Wikiplus, please contact 镜音铃.

Thanks for the ping. I have added a sentence to reflect the concern on the gadget description for zhwikinews where I am a sysop.

Indeed, @Xiplus , do you find it feasible if we move your script to the wiki so that the concern could be eliminated?

Thanks very much for your quick move. I still haven't heard from the other authors. If you happen to know them or any admin on those communities who'd be willing to give them a nudge, that'd be appreciated. For now, as suggested by @Xiplus, I left 镜音铃 a gentle note.

Krinkle renamed this task from Fix (non-default) gadgets loading external resources to Fix (non-default) gadgets loading executable JavaScript from third-party URLs.Apr 26 2021, 5:28 PM
Krinkle added a subscriber: Krinkle.

Updated title to reflect presumed intent, also based on direction of T135963 and related tasks. Which is that (afaik) we will continue to allow in the long-term, the use of third-party resources (with proper privacy explanation and prior consent, of course). However, that we will not under any circumstances in the long-term allow execution of third-party JavaScript code. APIs and media are fine, JS is not and must be hosted on-wiki or elsewhere instead.