Change Details

CSP is a technical solution to enforce privacy (and to a lesser extent) security standards. Technical measures should always be informed by political measures, and not the other way around. There's various de-facto standards related to user scripts, and what is and is not acceptable to do in them. We should make these standards explicit Issues at hand: * When is it acceptable to load external non-script data (Current de-facto: With user consent, for non-default scripts only) * When is it acceptable to load external scripts (Current de-facto: same as above, although I'd like to change it) * Is it acceptable to load data from toolforge without user consent, or in default gadgets (Current de-facto: Mostly no, but this is often not enforced) ** A major sub-part of this is fonts from toolforge cdn A secondary issue, might be, to what extent are scripts allowed to store user data/track users in cookies and whatnot (current de-facto: no rules as long as its not sent to an external party) This needs to be discussed with various stake-holders

CSP is a technical solution to enforce privacy (and to a lesser extent) security standards. Technical measures should always be informed by political measures, and not the other way around. There's various de-facto standards related to user scripts, and what is and is not acceptable to do in them. We should make these standards explicit Issues at hand: * When is it acceptable to load external non-script data (Current de-facto: With user consent, for non-default scripts only) * When is it acceptable to load external scripts (Current de-facto: same as above, although I'd like to change it) * Is it acceptable to load data from toolforge without user consent, or in default gadgets (Current de-facto: Mostly no, but this is often not enforced) ** A major sub-part of this is fonts from toolforge cdn. See also arguments at T209998 A secondary issue, might be, to what extent are scripts allowed to store user data/track users in cookies and whatnot (current de-facto: no rules as long as its not sent to an external party) This needs to be discussed with various stake-holders

CSP is a technical solution to enforce privacy (and to a lesser extent) security standards. Technical measures should always be informed by political measures, and not the other way around. There's various de-facto standards related to user scripts, and what is and is not acceptable to do in them. We should make these standards explicit Issues at hand: * When is it acceptable to load external non-script data (Current de-facto: With user consent, for non-default scripts only) * When is it acceptable to load external scripts (Current de-facto: same as above, although I'd like to change it) * Is it acceptable to load data from toolforge without user consent, or in default gadgets (Current de-facto: Mostly no, but this is often not enforced) ** A major sub-part of this is fonts from toolforge cdn. See also arguments at T209998 A secondary issue, might be, to what extent are scripts allowed to store user data/track users in cookies and whatnot (current de-facto: no rules as long as its not sent to an external party) This needs to be discussed with various stake-holders