Page MenuHomeMiraheze

Review Facebook CSP Entry
Closed, DeclinedPublic



  • Is the site equipped with a privacy policy? Yes
  • Does the site attempt to comply with the GDPR? Can European Union inhabitants invoke their individual rights? While GDPR isn't specifically mentioned, Facebook allows you to delete/rectify/etc. your data
  • Does the site provide a list of personal data being collected by using the service? Yes. see PP
  • Is the website owner known to have a bad reputation regarding privacy? It's complicated
  • Can wikis use the external service, even if the visitor wants to deny any cookies or other form of tracking? Unsure
  • Will wikis stay usable, even if the visitor blocks the external resource by using an ad blocker? Likely yes
  • Is there a Data Protection Officer and/or Privacy Team that can be contacted by Miraheze? Yes
  • Is the site equipped with a security policy? Yes, see PP
  • Does the site clarify their security measures to protect collected user data? Can the site assure measures are being taken to protect code injection into the loaded external resources? Don't see any specifics beyond general information
  • Is the website owner known to have a bad reputation regarding information security? No
  • Is there a Chief Information Security Officer and/or Security Team that can be contacted by Miraheze? I don't see any particular way of contact besides generally support

Event Timeline

John triaged this task as Normal priority.Aug 28 2021, 19:35
John created this task.

While there are some concerns regarding privacy and Facebook this seems good to approve for the CSP whitelist in my opinion. Passing onto T&S.

Owen subscribed.

There are always privacy concerns with Facebook, particularly around heavily targeted and potentially intrusive advertising.

The site was added for T4978, which is an extension no longer in use on Miraheze. Unless other uses are identified, I think rejecting this pending an appropriate and useful use case is a good way forward.

Sending back for SRE Review to see if a use case exists. Otherwise, this is declined for now.

I will pay more attention to use cases in the future for CSP entries when reviewing and will look into whether there is still a use case for Facebook.

I haven't been able to find another use case beyond Widgets so I'll be removing Facebook for now. If a use case is identified (i.e. someone complains that they were using it and it's now broken) this can be reopened for further consideration.

Reception123 claimed this task.

Good afternoon. I apologize for commenting on a closed case, but I was wondering if you could reconsider the removal of Facebook from the CSP whitelist. The game that my wiki is about (unfortunately and frustratingly) currently only posts updates about the game on their Facebook page, so I added an iframe plugin to the main page of my wiki. I reference this quite frequently as I do not use Facebook outside of it.

Of course, if it is too much of a security issue then it's okay, I'll remove the plugin and just check the Facebook page itself for updates, but it is a bit more inconvenient for me and I do prefer having an at-a-glace newsfeed on the main page.

As reference, here is the main page of my wiki.

Thank you very much for your time and consideration!