Third-party resources policy
This page contains a proposed policy regarding third-party resources. From June 05 to July 17, 2023 the Security team requested feedback on this proposal. Please find the closing notice and expected timeline for a decision regarding this proposal in this section of the talk page. You should not edit the proposed policy page directly. |
Purpose
[edit]Wikimedia users can use user scripts or gadgets, or stylesheets to augment the functionalities of a Wikimedia site. Some of those tools interact and share user data with computer resources which are located outside Wikimedia’s servers: third-party resources. This has sometimes contributed to account compromises and privacy issues. However, the Wikimedia Foundation’s Terms of Use forbid violating the privacy of others,[1][2] and further highlights that third-party resources are not endorsed or monitored by the Foundation.[3] To provide better privacy to Wikimedia users, the following policy complements the Foundation’s Terms of Use by covering the following aspects:
- Risks related to user scripts and gadgets loading third-party resources
- Best practices for script developers and gadget makers
- Administrative and technical measures to enforce best practices
- Particular conditions that may warrant exemptions
Definitions
[edit]The following are definitions relevant to this policy:
- Third-Party Resources: third-party resources are computer resources which are located outside Wikimedia production websites.[4] They may include but are not limited to: executable scripts, style sheets, image and font files, JSON/JSONP data.
- Users: Visitors and editors of Wikimedia websites
- Personal Information: Any information collected by a tool that could be used to personally identify you. For a more detailed definition, please refer to the Wikimedia Foundation’s main privacy policy.
Scope
[edit]The current Third-Party Resources Policy applies to user scripts and user gadgets interacting with computer resources which are located outside Wikimedia production websites. This may include appearance userscripts, editing or anti-vandalism gadgets, to name a few, so long as those gadgets and user scripts make use of third-party resources.
Risks
[edit]Information security
[edit]When a gadget or a user script loads a third-party resource, it enables that resource to stand between a Wikimedia Site and a user’s data. While not all third-party resources are malicious, some can be used by their owners for a wide range of nefarious purposes. For instance, loading third-party resources could serve as a partial means to a cross-site scripting (XSS) attack, where the resource being loaded can, among other things, collect login information, impersonate a user's account and perform vandalism at scale. This can be particularly damaging for users with advanced rights such as administrators. The Foundation's Security team has seen real-world examples of this type of attack. Also, because the Wikimedia Foundation has no control over those external platforms, the personal information they collect can be inadvertently disclosed, willingly turned over to government authorities, or shared with third parties outside of the control of the user or the Foundation's.
User privacy and safety
[edit]A gadget or user script which loads a third-party resource does more than just connecting to that resource. Gadgets or user scripts connecting to third-party resources may also share information about users, including the device they are using, their browser information, and location. This is particularly concerning for gadgets that are enabled by default on certain Wikimedia projects, since data sharing may go unnoticed. Additionally, if the third-party resource has tracking features, any gadgets or scripts loading it could result in users' behavior being scrutinized against their will or without their consent, reused for monetization, surveillance, or other undesired purposes. For a number of vulnerable users, this often means real-life consequences including harassment, identity theft, imprisonment, and physical harm.
Required precautions
[edit]Do not load external resources
[edit]Gadgets and user scripts must not load third-party resources. Developers of such tools should review their code to ensure it does not include any remote network connection (eg: HTTP, WebSocket) to a third-party resource.
Search for alternative scripts
[edit]If applicable, gadget and user script developers must re-use resources that are already available on Wikimedia servers. By default, MediaWiki comes with a number of scripts or modules. Before considering any third-party resources, developers must explore whether there exist any MediaWiki modules or community-made user scripts that could achieve the same purpose. While re-using or improving scripts available within the community, it is also good practice to follow general guidelines on gadgets developments regarding pain points such as error handling and code maintenance.
Exemptions
[edit]Opt-in exemption granted by users
[edit]By default, gadgets and userscripts are not allowed to load non-production resources. However, users can authorize some gadgets and userscripts to load third-parties. In this case, users must opt-in — give their informed consent before using those specific gadgets and userscripts. While it is expected that users must express their consent through a flow similar to OAuth authorization, the practical implementation of this opt-in mechanism is purposely not written in detail in this policy. Instead, the opt-in exemption principle is referenced here to support the practical implementation once it is in place.[5]
Additional transparency requirements
[edit]Although users' consent is required, a third-party resource must also meet a number of transparency conditions before being embedded in gadgets and userscripts. To be exempted, an external resource must:
- Have its source code public and referenced at Third-party resources policy/Noticeboard, alongside an up-to-date description of the personal information processed, and a point of contact for raising issues. This will help ensure public scrutiny and some auditability of the resource.
- If the third-party resource is hosted on Wikimedia Cloud Services code, its code should comply with WMCS terms of use. Also, its code must be inspectable — the WMCS resource developer must ensure that the code hosted on WMCS is human-readable, except for configuration files containing credentials. This will ensure that automated code scanning and other auditing mechanisms can be carried out for better security and privacy.
Enforcement
[edit]If the use of third-party resources results in the violation of this policy, two sets of actions can help safeguard the privacy of end-users: manual removal and automated disabling.
Manual removal
[edit]Manual removal involves a direct intervention by Wikimedia users.
If you hold sufficient permissions and come across a gadget or user script which violates this policy, you can proceed in blanking the page and notify its author with a message on their talk page. If you are unsure whether you should remove the gadget or user script, please report it to an Administrator or Steward or send an email to the Foundation’s Security team (security-team[at]wikimedia.org).
Automated disabling through CSP
[edit]Automated disabling involves disabling at the software or server level with no direct human intervention. In the current policy, automated disabling takes the form of Content Security Policy (CSP). CSP is a layer of security within the MediaWiki software which can prevent the loading of third-party resources. Currently, this feature does not block any third-party resources but is only enabled in report-only mode on some wikimedia projects.[6]However, there are ongoing discussions to set CSP to enforce on all Wikimedia projects at some point in the future. Once it is in effect, CSP will also enforce this policy and bar user scripts and gadgets from loading third-party resources in production, unless those are covered by this policy's exemptions.
|