From June 5th to July 17th, the Security-Team opened a consultation with contributors regarding a policy to govern the use of third-party resources (TPR) in volunteer-developed gadgets, scripts, used on Wikimedia sites.

Context

Ongoing discussions have highlighted that third-party resources being loaded into Gadgets and UserScripts can create security and privacy issues for end-users. One solution identified is to create a policy which outlines the restrictions on the use of third-party resources in gadgets and user scripts, and legitimizes the administrative and technical controls enforcing those restrictions. Led by the Foundation's Security team, the initiative of the Third-Party Resources policy followed the Technical Decision Forum (TDF) steps, gathering initial feedback from trusted community members and staff, collecting statistics (T335892), and drafting an initial version of a policy. Since the policy is expected to impact a large number of users, its initial version is released publicly for discussion with the aim of shaping the policy content in tandem with the community.

Next steps

• Move relevant consultation content to meta-wiki, mark it for translation (03 June 2023)
• Open consultation, invite community members through standard channels (05 June 2023)
• Respond to feedback, update policy content iteratively based on feedback (June-July 2023)
• Send reminders to community members (June-July 2023)
• Close the consultation, consolidate feedback and update policy (17 July 2023)
• Review input from consultation and decide on next steps, WMF-Legal guidance (Aug-Oct 2023)
• Release decision regarding TPR policy (late October 2023)