Page MenuHomeMiraheze

Allow LucidChart iframes in CSP
Closed, ResolvedPublic

Description

Wiki URLinfomedia.miraheze.org

I would like to be able to embed LucidChart flow diagrams onto our Wiki, but the iframes are currently not rendering. Is there any way to enable this?

Here is a sample embed code:

<div style="width: 640px; height: 480px; margin: 10px; position: relative;"><iframe allowfullscreen frameborder="0" style="width:640px; height:480px" src="https://lucid.app/documents/embedded/7f04103a-35cc-4d7b-83b0-0d3be8c30d71" id="DGyf2k4KUvZ8"></iframe></div>

Requested domains: lucid.app

Reason: See above request

Related Links:



CSP REVIEW: lucid.app

  • Is the site equipped with a privacy policy? Yes
  • Does the site attempt to comply with the GDPR? Can European Union inhabitants invoke their individual rights? Yes, while the GDPR itself is not explicitly mentioned, mentions of EEA residents are made as well as California's privacy law which is similar to the GDPR, and a section detailing user rights as to their information which seems to match GDPR requirements
  • Does the site provide a list of personal data being collected by using the service? Yes, see PP
  • Is the website owner known to have a bad reputation regarding privacy? No indication of this
  • Can wikis use the external service, even if the visitor wants to deny any cookies or other form of tracking? some features may not work, but generally seems ok
  • Will wikis stay usable, even if the visitor blocks the external resource by using an ad blocker? Yes, likely
  • Is there a Data Protection Officer and/or Privacy Team that can be contacted by Miraheze? Yes, specific email - [email protected]
  • Is the site equipped with a security policy? Part of Privacy policy
  • Does the site clarify their security measures to protect collected user data? Can the site assure measures are being taken to protect code injection into the loaded external resources? No specifics are given, only general assurances are made
  • Is the website owner known to have a bad reputation regarding information security? No evidence of this
  • Is there a Chief Information Security Officer and/or Security Team that can be contacted by Miraheze? Doesn't seem to be a specific one, general support (or privacy) can likely be contacted

Event Timeline

Herald added subscribers: Unknown Object (User), Unknown Object (User), RhinosF1, Reception123. · View Herald TranscriptMay 12 2022, 09:03
Excelsis renamed this task from Allow LucidChart iframes to Review lucid.app CSP entry.May 12 2022, 09:11
RhinosF1 renamed this task from Review lucid.app CSP entry to Allow LucidChart iframes in CSP.May 12 2022, 09:13
RhinosF1 updated the task description. (Show Details)

Just to check that you're not looking for input on me on this and the review is something the miraheze team will do?

Please can I have an update on this?

Please can I have an update on this?

Sorry for the delay, I have now reviewed the website and the next step will be for our Trust & Safety team to review it.

(Comments: lucidapp.com/lucid.co seems to generally adhere to our checklist and there don't seem to be any particular issues, so this should be good to approve). Passing onto T&S for review.

Please can I have an update on this?

Sorry for the delay, I have now reviewed the website and the next step will be for our Trust & Safety team to review it.

(Comments: lucidapp.com/lucid.co seems to generally adhere to our checklist and there don't seem to be any particular issues, so this should be good to approve). Passing onto T&S for review.

Looking at the way Lucid.app's set up, Stewards or Interwiki Administrators may be able to add an interwiki prefix for you locally, with transclusion enabled, which may facilitate the same aims.

That being said, this seems to be a simple document viewer, not unlike Google Docs or CryptPad. I'll take a look a closer look at their Privacy Policy in the next couple of days, but I do agree this does look to be on the higher end of SRE's approval threshold and quite possibly will be approved. I would want to look more closely into this:

Yes, while the GDPR itself is not explicitly mentioned, mentions of EEA residents are made as well as California's privacy law which is similar to the GDPR, and a section detailing user rights as to their information which seems to match GDPR requirements

The California privacy law may be similar, but it is not equivalent to the UK Data Protection Act, so I want to look into those specific references around jurisdiction and data handling.

Hi,

I have found this page related to LucidChart and their GDPR compliance: https://lucid.co/gdpr-compliance

Hopefully this helps wrap things up.

Thanks

I have made a pull request for if this gets approved.

Please can we have an update on this?

Unknown Object (User) added a comment.Jul 4 2022, 07:42

@Owen, can you review this? Thanks!

Approved from my perspective.

Unknown Object (User) added a subscriber: John.Aug 14 2022, 05:53
Unknown Object (User) moved this task from Backlog to Short Term on the Technology-Team (MediaWiki) board.Sep 12 2022, 22:12
Unknown Object (User) removed a project: Configuration.Sep 13 2022, 16:33
John moved this task from Pending Addition to Completed on the CSP Review board.