Page MenuHomeMiraheze

bilibili.com CSP whitelist
Closed, DeclinedPublic

Description

domain list:


CSP REVIEW

  • Is the site equipped with a privacy policy? Yes
  • Does the site attempt to comply with the GDPR? Can European Union inhabitants invoke their individual rights? Yes, while the GDPR itself is not explicitly mentioned, mentions of PIPL law in China is similar to GDPR, and a section detailing user rights as to their information seems to stricter than GDPR. Oversea users can opt out through AppsFlyer optout and Firebase through [email protected]
  • Does the site provide a list of personal data being collected by using the service? Yes, in PP: "What personal information about you that we collect and process and why?"
  • Is the website owner known to have a bad reputation regarding privacy? No
  • Can wikis use the external service, even if the visitor wants to deny any cookies or other form of tracking? Yes, but only video iframes is known to operate without cookies
  • Will wikis stay usable, even if the visitor blocks the external resource by using an ad blocker? Yes
  • Is there a Data Protection Officer and/or Privacy Team that can be contacted by Miraheze? Yes
  • Is the site equipped with a security policy? Yes, see PP
  • Does the site clarify their security measures to protect collected user data? Can the site assure measures are being taken to protect code injection into the loaded external resources? Yes, in PP: "How do we keep your personal information secure?"
  • Is the website owner known to have a bad reputation regarding information security? No
  • Is there a Chief Information Security Officer and/or Security Team that can be contacted by Miraheze? Through email in English: [email protected] or through their security website in Chinese: Bilibili Security. For unauthorized personal information reports, please contact through China Cyberspace Administration as they will check for any websites within China internet space.

Event Timeline

Max20091 triaged this task as Normal priority.May 20 2022, 08:49
Max20091 created this task.
Herald added subscribers: Unknown Object (User), Unknown Object (User), RhinosF1. · View Herald TranscriptMay 20 2022, 08:49
Unknown Object (User) added a comment.May 20 2022, 09:12

It was added once (rPUPCa0ad7), but must've been removed at some point, as it doesn't seem to be in

Unknown Object (User) moved this task from Backlog to Short Term on the Technology-Team (MediaWiki) board.

Since the initial CSP review has been done by a non-SRE user, I will comment on my additional findings.

  • Regarding GDPR, I don't see any specific mentions of GDPR being complied with but relevant elements seem to exist. I'm not sure whether that's enough?
  • Regarding whether measures to protect security are described, it seems like there is a relatively detailed paragraph explaining

Overall, it seems like while Bilbili may have had some problems in the past, it has (as far as I can see) not had any clear issues with reputation, etc. and generally the privacy policy seems appropriate. The main issue would be whether them not specifically making mention of the GDPR would be an issue. I will transfer this to Trust & Safety for the next step, especially to review the GDPR aspect. I would likely say though that on the 'approval' scale, this website would likely be on the lower end.

  • About GDPR, it mostly goes through the 2 third-parties and you can opt-out right on the appsflyer website. For the Firebase, it's probably for people who use Google account on the English platform to sign-in.
  • About privacy reputation from the above article (for the Chinese platform, not English one), it's the article is kinda wrong anyway as you can register account without entering any private information. The only thing that require verify private information is when uploading and commenting which is required by the Chinese government. And technically you can't verify account to upload as a foreign user unless explicit consent by sending an email, the automated verify system only accept Chinese info.

Since the initial CSP review has been done by a non-SRE user, I will comment on my additional findings.

  • Regarding GDPR, I don't see any specific mentions of GDPR being complied with but relevant elements seem to exist. I'm not sure whether that's enough?
  • Regarding whether measures to protect security are described, it seems like there is a relatively detailed paragraph explaining

Overall, it seems like while Bilbili may have had some problems in the past, it has (as far as I can see) not had any clear issues with reputation, etc. and generally the privacy policy seems appropriate. The main issue would be whether them not specifically making mention of the GDPR would be an issue. I will transfer this to Trust & Safety for the next step, especially to review the GDPR aspect. I would likely say though that on the 'approval' scale, this website would likely be on the lower end.

What are the approval scale possibilities?

The concern I have with this website is we've had a number of Terms of Use-related issues, both pre-Trust and Safety and since then, with wikis posting unauthorized personally identifying information, usually involving the BiliBili website in some way. Given the length of time such information was allowed to remain on the BiliBili platform, I'm not terribly confident in the responsiveness of the BiliBili's Data Protection Officer together with BiliBili's legal jurisdiction in which they operate.

What's the specific need here, and, given my concern above, is there not a video sharing site the videos could be posted to and we could whitelist that? For example, YouTube, or, failing that, a site like Google Drive (if that is already whitelisted), the The Internet Archive, or similar.

! In T9252#187988, @Dmehus wrote:
Given the length of time such information was allowed to remain on the BiliBili platform, I'm not terribly confident in the responsiveness of the BiliBili's Data Protection Officer together with BiliBili's legal jurisdiction in which they operate.

Not sure when did you see those stuffs but recently, the Chinese's GDPR equivalent was launched and most of companies in CN are already comply the law.
And yes, the law doesn't have timescale required to process data but if the issue is big enough, the company's reputation will get ruined pretty fast (aka recorded in CN's Social Credit System and you may know how horrible it was).
It is also much faster to remove those by requesting to the gov in case of having serious issues (they do have pages to specifically handle these stuffs).

! In T9252#187988, @Dmehus wrote:
What's the specific need here, and, given my concern above, is there not a video sharing site the videos could be posted to and we could whitelist that? For example, YouTube, or, failing that, a site like Google Drive (if that is already whitelisted), the The Internet Archive, or similar.

There are stuffs that can't be posted outside of the requested page (both personal issues and since most videos on that site mostly have owner's signature embedded), attempting to post the video to other sites is basically breaking the ToS on both sides.
My best bet is to only whitelist player.bilibili.com (aka only video player) in case of security or privacy concerns.

If the end goal is just to get the video player working, you can also consider making a feature request to the EmbedVideo extension. In that way, the CSP is only applied by the extension when needed.

Unknown Object (User) added a comment.May 31 2022, 07:49

If the end goal is just to get the video player working, you can also consider making a feature request to the EmbedVideo extension. In that way, the CSP is only applied by the extension when needed.

Our CSP overrides anything added by other extensions, so it wouldn't work unless in our CSP also I believe.

What's the specific need here, and, given my concern above, is there not a video sharing site the videos could be posted to and we could whitelist that? For example, YouTube, or, failing that, a site like Google Drive (if that is already whitelisted), the The Internet Archive, or similar.

Bilibili is one of the largest video streaming platform in China. Given the nature of the Great Firewall, visiting other sites is an issue for users resides within China, let alone the copyright issues associated with reuploading. I think it is worth considering because of its popularity, as long as it passes Trust & Safety.

Our CSP overrides anything added by other extensions, so it wouldn't work unless in our CSP also I believe.

Thanks, didn't know that. In that case I do still suggest a feature request to the EmbedVideo fork as it adds a layer of security by asking for explicit user consent to load the iframe and external resources.

Unknown Object (User) added a subscriber: Owen.Jul 4 2022, 07:42

@Owen, can you review this? Thanks!

Owen claimed this task.

The concern I have with this website is we've had a number of Terms of Use-related issues, both pre-Trust and Safety and since then, with wikis posting unauthorized personally identifying information, usually involving the BiliBili website in some way. Given the length of time such information was allowed to remain on the BiliBili platform, I'm not terribly confident in the responsiveness of the BiliBili's Data Protection Officer together with BiliBili's legal jurisdiction in which they operate.

Is a concern that has been raised and given our previous experiences with it, unless evidence can be shown that this has drastically improved, I will side with Doug on this and not agree to approve.

Max20091 reopened this task as Open.EditedJul 19 2022, 05:04
In T9252#192883, @Owen wrote:

The concern I have with this website is we've had a number of Terms of Use-related issues, both pre-Trust and Safety and since then, with wikis posting unauthorized personally identifying information, usually involving the BiliBili website in some way. Given the length of time such information was allowed to remain on the BiliBili platform, I'm not terribly confident in the responsiveness of the BiliBili's Data Protection Officer together with BiliBili's legal jurisdiction in which they operate.

Is a concern that has been raised and given our previous experiences with it, unless evidence can be shown that this has drastically improved, I will side with Doug on this and not agree to approve.

  1. Unauthorized personally identifying information should be reported to government, they have pages that specifically handle these stuffs as I said above. I don't think Bilibili do have enough privilege to delete user data without their consent unless it's government issued.
  2. So if 1 doesn't work, what about whitelisting it per wiki that have strict management? You can't just claim 1 bad apple spoils the barrel, right?

Edit: I'm new to Miraheze so I have no idea what happened on this platform, is long ago? I don't see any conversation about this blocking before so I don't even know how bad it is.
Edit 2: If you want to report any unauthorized information, there is https://www.12377.cn/ which you will contact China Cyberspace Administration directly.

Unknown Object (User) added a comment.Jul 19 2022, 06:02

So if 1 doesn't work, what about whitelisting it per wiki that have strict management? You can't just claim 1 bad apple spoils the barrel, right?

That is not possible as far as I am aware. Our CSP whitelist is basically global or not at all. It can not be done on a per wiki basis.

John removed Owen as the assignee of this task.Jul 19 2022, 16:26
John moved this task from T&S Review to DTech Review on the CSP Review board.
John subscribed.

-> EM Review to take into account both SRE and T&S review

Unauthorized personally identifying information should be reported to government, they have pages that specifically handle these stuffs as I said above. I don't think Bilibili do have enough privilege to delete user data without their consent unless it's government issued.

I still a concern for me, so I am going to have to agree with @Owen here unfortunately. If T&S aren't satisfied this would sufficiently cover us in terms of data protection, I'm not in a position to overrule them.

Max20091 renamed this task from bilibili.com CSP whitelist to player.bilibili.com (and sites related to it) CSP whitelist.Nov 12 2022, 06:57
Max20091 reopened this task as Open.
Max20091 updated the task description. (Show Details)
Max20091 updated the task description. (Show Details)
Unknown Object (User) closed this task as Declined.Nov 12 2022, 07:06

This has already been declined. Please do not change the scope of tasks. For a different domain, a different task should be done. But for this, it might be declined once again.

Unknown Object (User) renamed this task from player.bilibili.com (and sites related to it) CSP whitelist to bilibili.com CSP whitelist.Nov 12 2022, 07:11
Unknown Object (User) updated the task description. (Show Details)