Page MenuHomeMiraheze

Review reviservices.com CSP Entry
Closed, ResolvedPublic

Description


CSP REVIEW

  • Is the site equipped with a privacy policy?
  • Does the site attempt to comply with the GDPR? Can European Union inhabitants invoke their individual rights?
  • Does the site provide a list of personal data being collected by using the service?
  • Is the website owner known to have a bad reputation regarding privacy?
  • Can wikis use the external service, even if the visitor wants to deny any cookies or other form of tracking?
  • Will wikis stay usable, even if the visitor blocks the external resource by using an ad blocker?
  • Is there a Data Protection Officer and/or Privacy Team that can be contacted by Miraheze?
  • Is the site equipped with a security policy?
  • Does the site clarify their security measures to protect collected user data? Can the site assure measures are being taken to protect code injection into the loaded external resources?
  • Is the website owner known to have a bad reputation regarding information security?
  • Is there a Chief Information Security Officer and/or Security Team that can be contacted by Miraheze?

Event Timeline

John triaged this task as Normal priority.Aug 28 2021, 19:31
John created this task.
Unknown Object (User) subscribed.Aug 29 2021, 21:27

As far as I can tell this is only here for js-wiki-cdn.reviservices.com so not sure why *.reviservices.com is whitelisted. But I can't find any initial task requesting this whitelisted either.

Unknown Object (User) added a subscriber: Reception123.Sep 1 2021, 06:01

I have updated the CSP (merged by @Reception123) to just use js-wiki-cdn.reviservices.com instead of the unnecessary wildcard.

Also maybe *css*-wiki-cdn IIRC…

Both urls are essentially GitHub Pages proxied thru Cloudflare.

For the record I do not attempt to comply w/ GDPR — only legislation that have any effect on me (and which I do comply) is Republic of Korea's Privacy Act. If someone invokes their rights protected under ROK Privacy Act, I'd be happy to comply but GDPR is not my law, despite whatever EU claims. Feel free to remove if this is unhappy to you.

Only data I (maybe) collect is User-Agent collected via Cloudflare (but I can turn it off anyway)

If it's Cloudflare and GitHub I think their Privacy Policy should apply anyway

@revi If you don't mind turning off UA collection that would be great and avoid any need for the checklist/GDPR.

Cloudflare is approved in T7903; GitHub is pending approval here T8003.

Based on the limited scope for this and the fact that Revi is a trusted user and the data collected is minimal, I would recommend approval. Passing onto T&S.

If this is approved, can you change the CSP domain to wiki-assets.sumin.wiki which I purchased to disable Cloudflare logging if it was technically feasible? Thanks!

Routed via Cloudflare and GitHub, this is fine.

With regards to the general purpose privacy policy, thankfully it does not apply here as services are entirely external, but if it did, the lack of commitment to GDPR would mean this would have been rejected.

John claimed this task.
John moved this task from DTech Review to Completed on the CSP Review board.