Page MenuHomeMiraheze

Add Scryfall to CSP whitelist
Closed, DeclinedPublic

Description

I plan to use the card images hosted on Scryfall in my wiki to provide a visual reference in addition to the card text provided by their API.

  • Is the site equipped with a privacy policy? Yes
  • Does the site attempt to comply with the GDPR? Can European Union inhabitants invoke their individual rights? Yes, see above
  • Does the site provide a list of personal data being collected by using the service? Yes, see "Analytics Data" in page linked above
  • Is the website owner known to have a bad reputation regarding privacy? No
  • Can wikis use the external service, even if the visitor wants to deny any cookies or other form of tracking? Yes
  • Will wikis stay usable, even if the visitor blocks the external resource by using an ad blocker? Yes
  • Is there a Data Protection Officer and/or Privacy Team that can be contacted by Miraheze? Company is very small, so it seems like they don't have a dedicated person/team for that. Their general support can be contacted here
  • Is the site equipped with a security policy? There is a brief section about security in their Privacy Policy
  • Does the site clarify their security measures to protect collected user data? Can the site assure measures are being taken to protect code injection into the loaded external resources? The site is hosted on Heroku, and is subject to their security practices
  • Is the website owner known to have a bad reputation regarding information security? No
  • Is there a Chief Information Security Officer and/or Security Team that can be contacted by Miraheze? No specific person/team for this, but support can be contacted.

Event Timeline

Artillect updated the task description. (Show Details)
Reception123 triaged this task as Normal priority.Jan 1 2023, 13:59

Regarding GDPR compliance, I don't see any explicit mentions of it. Yes you can delete your data but there still doesn't seem to be any clear compliance with the GDPR or any similar laws since it is a US based company.

Ah, you're right. Since the website's data is hosted through Heroku Postgres, which does have a commitment to GDPR compliance, I assume they would comply with the GDPR, but I understand if the lack of an explicit mention of it is an issue. What do you suggest I should do here? Should I contact them and ask about GDPR compliance?

Ah, you're right. Since the website's data is hosted through Heroku Postgres, which does have a commitment to GDPR compliance, I assume they would comply with the GDPR, but I understand if the lack of an explicit mention of it is an issue. What do you suggest I should do here? Should I contact them and ask about GDPR compliance?

Contacting them would probably be a good idea. As long as there is GDPR compliance I'd be fine with approving on my end and letting Trust & Safety review.

@Reception123 I can contact them myself if you want.

@Reception123 I can contact them myself if you want.

If you could, that'd be great, thanks!

They don't have an email, but there is a form on their website (behind Cloudflare's annoying CAPTCHA, of course). Here's what I've sent them:

Hi. I was just interested in knowing if EU citizens can exercise their GDPR rights here. Additionally, other than Google, do you share data with any other company?

Here's the rest of the conversation, with the identity of the person who answered redacted:

Scryfall:

Hey there:

This is all covered here: https://scryfall.com/docs/privacy

Best,
<REDACTED> from Scryfall

Me:

On Fri, 3 Feb 2023 13:55:35 +0000
<REDACTED> wrote:

> Hey there:
> 
> This is all covered here: https://scryfall.com/docs/privacy  

It doesn't mention the GDPR at all, and, while you can delete your
account at any moment, there doesn't seem to be a mention of the rest
of the rights, like the data portability one.

Scryfall:

You are able to download your account data here: https://scryfall.com/settings/safety


> On Feb 3, 2023, at 09:01, Alex <alex@blueselene.com> wrote:
> 
> On Fri, 3 Feb 2023 13:55:35 +0000
> <REDACTED> wrote:
>   
>> Hey there:
>> 
>> This is all covered here: https://scryfall.com/docs/privacy  
> 
> It doesn't mention the GDPR at all, and, while you can delete your
> account at any moment, there doesn't seem to be a mention of the rest
> of the rights, like the data portability one.

@OrangeStar Does this seem satisfactory in your opinion? To me even if it doesn't specifically mention GDPR if everything contained in the GDPR is respected that should be acceptable.

Well, they're using Google Analytics (and Cloudflare's reverse proxy, which is also somewhat questionable, perhaps not quite as much as GA), so just for that I would decline this, but that's just me.

Other than that, the privacy policy is straightforward on terms of who they're sharing data with, and you can both delete your account at will and download whatever information they store about it. It also looks like they really only collect what they need to operate the website (except the GA info of course, no-one needs that). They also have a CSP (see below), and provide some information on how to clear GA identifiers. So, if I ignore Google Analytics, it looks okay-ish to me.

Of course, they don't explicitly attempt to comply with the GDPR, that's important to keep in mind.

scryfall's Content Security Policy

content-security-policy: default-src 'none'; base-uri 'none'; frame-src *.google.com checkout.stripe.com; frame-ancestors 'none'; style-src *.scryfall.com scryfall.com; script-src *.scryfall.com scryfall.com *.google-analytics.com *.googletagmanager.com *.google.com *.gstatic.com checkout.stripe.com 'unsafe-eval'; img-src *.scryfall.io *.scryfall.com scryfall.com *.google-analytics.com *.googletagmanager.com *.stripe.com data:; font-src *.scryfall.com scryfall.com; manifest-src *.scryfall.com scryfall.com; connect-src api.scryfall.com scryfall.com *.google-analytics.com *.googletagmanager.com *.analytics.google.com checkout.stripe.com; block-all-mixed-content;
cache-control: public

In light of all this, I would approve this as SRE, but with some reluctance. While the use of Google Analytics may not be ideal, there's no such criteria in the CSP checklist so I wouldn't think it fair to decline based on something that isn't in the CSP policy, especially since we whitelist Google itself. As for GDPR, as long as there's compliance with all the obligations I wouldn't think it not being explicitly mentioned is such a huge issue.

I'd recommend that T&S considers this careful in case these two issues would be a problem.

Unknown Object (User) unsubscribed.Mar 18 2023, 03:34

Hi,

I would like to start by apologizing on the project's behalf that your task was not resolved within a reasonable time. The community has now decided via RfC to merge with WikiTide and former volunteers will be returning and new ones will likely join. An event such as this one is unlikely to occur again.

Since your task has been opened for a long time, please let us know if (1) you still need it to be done or (2) if it's a bug: if it's still occurring.

NOTE: This is a mass message and not specific to any particular task.

Hi,

Since no response to the latest question has been received in a while, we must assume that this task is no longer needed and will now be closing it as Declined. (This is simply to indicate to us that the task was not done)

If you still need this task and are able to respond, please feel free to reopen this task and indicate that it is still needed and we will start working on it. I would like to apologize once again for any inconvenience caused by this task not being resolved within a reasonable time.

Reception123