From June 5th to July 17th, the #security-team will open a consultation with contributors regarding a policy to govern the use of third-party resources (TPR) in volunteer-developed gadgets, scripts, used on Wikimedia sites. Although the discussion will happen mainly on meta-wiki, this ticket keeps track of the consultation progress and makes it easy to connect the dots with the larger TPR policy parent task (T296847) and subtasks.
#### Context
Led by the Foundation's Security team,[[ https://phabricator.wikimedia.org/T296847 | Ongoing discussions ]] have highlighted that third-party resources being loaded into Gadgets and UserScripts can create security and privacy issues for end-users. One solution identified is to create a policy which outlines the restrictions on the use of third-party resources in gadgets and user scripts, and legitimizes the administrative and technical controls enforcing those restrictions. the initiative of the Third-Party Resources policy targets the issue of Gadgets and User Scripts loading external resources to production websites while putting users' privacy and the infrastructure's integrity at risk. The initiativeLed by the Foundation's Security team, the initiative of the Third-Party Resources policy followed the Technical Decision Forum (TDF) [[ https://www.mediawiki.org/wiki/Technical_decision_making#Process_flow | steps ]], gathering initial feedback from trusted community members and staff, collecting statistics (T335892), and drafting an initial version of a policy. Since the policy is expected to impact a large number of users, its initial version is released publicly for discussion with the aim of reviewing and formalizing the restrictions on the use of third-party resources in gadgets and user scripts.
#### Next steps
[ ] Move relevant consultation content to meta-wiki, mark it for translation (03 June 2023)
[ ] Open consultation, invite community members through standard channels (05 June 2023)
[ ] Respond to feedback, update policy content iteratively based on feedback (June-July 2023)
[ ] Send reminders to community members (June-July 2023)
[ ] Close the consultation (17 July 2023)
[ ] Submit updated policy to #wmf-legal for compliance with other Foundation policies (Aug 2023)
[ ] Release version 1.0 of TPR policy (September 2023)