Jump to content

Third-party resources policy: Difference between revisions

From Meta, a Wikimedia project coordination wiki
Content deleted Content added
translation tweaks
 
(40 intermediate revisions by 20 users not shown)
Line 1: Line 1:
<languages />
<languages />
{{ombox|type=notice|image=[[File:Time font awesome.svg|45px]]|text=<translate>
{{ombox|type=notice|image=[[File:Time font awesome.svg|45px]]|text=<translate>
<!--T:32-->
<!--T:83-->
This page contains a proposed policy regarding third-party resources. Following previous conversations [[<tvar name="1">phab:T296847</tvar>|on that subject]], the proposed policy provides a baseline for discussing and formalizing the restrictions on the use of third-party resources in gadgets and user scripts.</translate> <translate><!--T:33--> You should not edit this page directly; suggestions and comments are welcomed on the [[<tvar name="1">Talk:Third-party resources policy</tvar>|Talk Page]] until 17 July, 2023. Thank you for your patience while discussions are still ongoing.</translate>
This page contains a proposed policy regarding third-party resources. From June 05 to July 17, 2023 the [[<tvar name="secteam">Mw:Wikimedia Security Team</tvar>|Security team]] requested feedback on this proposal. Please find the closing notice and expected timeline for a decision regarding this proposal [[<tvar name="talkpage">Talk:Third-party resources policy#18_July_2023:_Third-party_resources_policy_consultation_closed</tvar>|in this section]] of the talk page. You should not edit the proposed policy page directly.</translate>
}}
}}


Line 8: Line 8:
<translate>
<translate>
<!--T:35-->
<!--T:35-->
Wikimedia users can use [[<tvar name="1">:en:Wikipedia:Userscripts</tvar>|user scripts]] or [[<tvar name="2">:en:en:Wikipedia:Gadget</tvar>|gadgets]], or [[<tvar name="3">mw:Manual:CSS</tvar>|stylesheets]] to augment the functionalities of a Wikimedia site. Some of those tools interact and share user data with computer resources which are located outside Wikimedia’s servers: third-party resources. This has sometimes contributed to account compromises and privacy issues. However, the Wikimedia Foundation’s Terms of Use forbid violating the privacy of others,</translate><ref><translate><!--T:36--> Art 4 of the Foundation's Terms of Use, </translate>https://foundation.wikimedia.org/wiki/Terms_of_Use/en#4._Refraining_from_Certain_Activities</ref><ref><translate><!--T:37--> The Wikimedia Foundation’s Privacy Policy does not cover how third parties handle the information they receive.</translate> <translate><!--T:38--> See [[<tvar name="1">foundation:Privacy policy#What This Privacy Policy Does & Doesn't Cover</tvar>|What This Privacy Policy Does & Doesn't Cover]] section of the Privacy Policy</translate></ref> <translate><!--T:39--> and further highlights that third-party resources are not endorsed or monitored by the Foundation</translate>.<ref><translate><!--T:40--> Art 9 of the Foundation's Terms of Use, </translate>https://foundation.wikimedia.org/wiki/Terms_of_Use/en#9._Third-party_Websites_and_Resources</ref> <translate><!--T:41--> To provide better privacy to Wikimedia users, the following policy complements the Foundation’s Terms of Use by covering the following aspects</translate>:
Wikimedia users can use [[<tvar name="1">:en:Wikipedia:Userscripts</tvar>|user scripts]] or [[<tvar name="2">:en:en:Wikipedia:Gadget</tvar>|gadgets]], or [[<tvar name="3">mw:Manual:CSS</tvar>|stylesheets]] to augment the functionalities of a Wikimedia site. Some of those tools interact and share user data with computer resources which are located outside Wikimedia’s servers: third-party resources. This has sometimes contributed to account compromises and privacy issues. However, the Wikimedia Foundation’s Terms of Use forbid violating the privacy of others,</translate><ref><translate><!--T:36--> Art 4 of the Foundation's Terms of Use, </translate>https://foundation.wikimedia.org/wiki/Terms_of_Use/en#4._Refraining_from_Certain_Activities</ref><ref><translate><!--T:37--> The Wikimedia Foundation’s Privacy Policy does not cover how third parties handle the information they receive.</translate> <translate><!--T:38--> See [[<tvar name="1">foundation:Privacy policy#What This Privacy Policy Does & Doesn't Cover</tvar>|What This Privacy Policy Does & Doesn't Cover]] section of the Privacy Policy</translate></ref> <translate><!--T:39--> and further highlights that third-party resources are not endorsed or monitored by the Foundation.</translate><ref><translate><!--T:40--> Art 9 of the Foundation's Terms of Use, </translate>https://foundation.wikimedia.org/wiki/Terms_of_Use/en#9._Third-party_Websites_and_Resources</ref> <translate><!--T:41--> To provide better privacy to Wikimedia users, the following policy complements the Foundation’s Terms of Use by covering the following aspects:</translate>


* <translate><!--T:42--> Risks related to user scripts and gadgets loading third-party resources</translate>
* <translate><!--T:42--> Risks related to user scripts and gadgets loading third-party resources</translate>
Line 14: Line 14:
* <translate><!--T:63--> Administrative and technical measures to enforce best practices</translate>
* <translate><!--T:63--> Administrative and technical measures to enforce best practices</translate>
* <translate><!--T:64--> Particular conditions that may warrant exemptions</translate>
* <translate><!--T:64--> Particular conditions that may warrant exemptions</translate>

== <translate><!--T:44--> Definitions</translate> ==
== <translate><!--T:44--> Definitions</translate> ==
<translate><!--T:45--> The following are definitions relevant to this policy</translate>:
<translate><!--T:45--> The following are definitions relevant to this policy</translate>:
Line 27: Line 28:


=== <translate><!--T:54--> Information security</translate> ===
=== <translate><!--T:54--> Information security</translate> ===
<translate><!--T:55--> When a gadget or a user script loads a third-party resource, it enables that resource to stand between a Wikimedia Site and a user’s data. While not all third-party resources are malicious, some can be used by their owners for a wide range of nefarious purposes. For instance, loading third-party resources could serve as a partial means to a [[<tvar name="1">:en:Cross-site scripting#Exploit examples</tvar>|cross-site scripting]] (XSS) attack, where the resource being loaded can, among other things, collect login information, impersonate a user's account and perform vandalism at scale. This can be particularly damaging for users with advanced rights such as administrators. The Foundation's Security team has seen real-world examples of this type of attacks. Also, because the Wikimedia Foundation has no control over those external platforms, the personal information they collect can be inadvertently disclosed, willingly turned over to government authorities, or shared with third parties outside of the control of the user or the Foundation's.</translate>
<translate><!--T:55--> When a gadget or a user script loads a third-party resource, it enables that resource to stand between a Wikimedia Site and a user’s data. While not all third-party resources are malicious, some can be used by their owners for a wide range of nefarious purposes. For instance, loading third-party resources could serve as a partial means to a [[<tvar name="1">:en:Cross-site scripting#Exploit examples</tvar>|cross-site scripting]] (XSS) attack, where the resource being loaded can, among other things, collect login information, impersonate a user's account and perform vandalism at scale. This can be particularly damaging for users with advanced rights such as administrators. The Foundation's Security team has seen real-world examples of this type of attack. Also, because the Wikimedia Foundation has no control over those external platforms, the personal information they collect can be inadvertently disclosed, willingly turned over to government authorities, or shared with third parties outside of the control of the user or the Foundation's.</translate>


=== <translate><!--T:56--> User privacy and safety</translate> ===
=== <translate><!--T:56--> User privacy and safety</translate> ===
Line 43: Line 44:


=== <translate><!--T:67--> Opt-in exemption granted by users</translate> ===
=== <translate><!--T:67--> Opt-in exemption granted by users</translate> ===
<translate><!--T:68--> By default, gadgets and userscripts are not allowed to load non-production resources. However, users can authorize some gadgets and userscripts to load third-parties. In this case, users must opt-in — give their informed consent before using those specific gadgets and userscripts. While it is expected that users must express their consent through a flow similar to [[<tvar name="1">mw:OAuth/For Developers#Authorization</tvar>|OAuth authorization]], the practical implementation of this opt-in mechanism is purposely not written in detail in this policy. Instead, the opt-in exemption principle is referenced here to support the practical implementation once it is in place</translate><ref><translate><!--T:69--> It is worth noting that an opt-in exemption based on CSP was proposed in the past, ''see'' <tvar name="1">https://phabricator.wikimedia.org/T208188</tvar></translate></ref>.
<translate><!--T:68--> By default, gadgets and userscripts are not allowed to load non-production resources. However, users can authorize some gadgets and userscripts to load third-parties. In this case, users must opt-in — give their informed consent before using those specific gadgets and userscripts. While it is expected that users must express their consent through a flow similar to [[<tvar name="1">mw:OAuth/For Developers#Authorization</tvar>|OAuth authorization]], the practical implementation of this opt-in mechanism is purposely not written in detail in this policy. Instead, the opt-in exemption principle is referenced here to support the practical implementation once it is in place.</translate><ref><translate><!--T:69--> It is worth noting that an opt-in exemption based on CSP was proposed in the past, ''see'' <tvar name="1">https://phabricator.wikimedia.org/T208188</tvar></translate></ref>


=== <translate><!--T:70--> Additional transparency requirements</translate> ===
=== <translate><!--T:70--> Additional transparency requirements</translate> ===
<translate><!--T:71-->
<translate><!--T:71-->
Although users consent is required, a third-party resource must also meet a number of transparency conditions before being embedded in gadgets and userscripts. To be exempted, an external resource must:
Although users' consent is required, a third-party resource must also meet a number of transparency conditions before being embedded in gadgets and userscripts. To be exempted, an external resource must:
</translate>
</translate>
* <translate><!--T:72--> Have its source code public and referenced at [[<tvar name="1">Third-party resources policy/Noticeboard</tvar>|Third-party resources policy/Noticeboard]], alongside an up-to-date description of the personal information processed, and a point of contact for raising issues. This  will help ensure public scrutiny and some auditability of the resource.</translate>
* <translate><!--T:72--> Have its source code public and referenced at [[<tvar name="1">Third-party resources policy/Noticeboard</tvar>|Third-party resources policy/Noticeboard]], alongside an up-to-date description of the personal information processed, and a point of contact for raising issues. This will help ensure public scrutiny and some auditability of the resource.</translate>
* <translate><!--T:82--> If the third-party resource is hosted on Wikimedia Cloud Services code, its code should  comply with WMCS [[<tvar name="2">wikitech:Wikitech:Cloud Services Terms of use</tvar>|terms of use]]. Also, its code must be inspectable — the WMCS resource developer must ensure that the code hosted on WMCS [[<tvar name="3">:en:Chmod#Symbolic modes</tvar>|is human-readable]], except for configuration files containing credentials. This will ensure that automated code scanning and other auditing mechanisms can be carried out for better security and privacy.</translate>
* <translate><!--T:82--> If the third-party resource is hosted on Wikimedia Cloud Services code, its code should comply with WMCS [[<tvar name="2">wikitech:Wikitech:Cloud Services Terms of use</tvar>|terms of use]]. Also, its code must be inspectable — the WMCS resource developer must ensure that the code hosted on WMCS [[<tvar name="3">:en:Chmod#Symbolic modes</tvar>|is human-readable]], except for configuration files containing credentials. This will ensure that automated code scanning and other auditing mechanisms can be carried out for better security and privacy.</translate>


== <translate><!--T:73--> Enforcement</translate> ==
== <translate><!--T:73--> Enforcement</translate> ==
Line 65: Line 66:


=== <translate><!--T:77--> Automated disabling through CSP</translate> ===
=== <translate><!--T:77--> Automated disabling through CSP</translate> ===
<translate><!--T:78--> Automated disabling involves disabling at the software or server level with no direct human intervention. In the current policy, automated disabling takes the form of [[<tvar name="1">phab:T28508</tvar>|Content Security Policy]] (CSP). CSP is a layer of security within the MediaWiki software which can prevent the loading of third-party resources. Currently, this feature does not block any third-party resources but is only enabled in report-only mode on some wikimedia projects</translate><ref><translate><!--T:79--> MediaWiki's CSP is [<tvar name="1">https://github.com/wikimedia/operations-mediawiki-config/blob/47cfef8faf15d815994e865afb6133119e3c1490/wmf-config/InitialiseSettings.php#L11994-L12001</tvar> enabled] in report-only mode for [[<tvar name="2">wikitech:Deployments/Train#Groups</tvar>|group0 wikis]], outreachwiki and small wikis. It doesn't block any external resources anywhere EXCEPT for the CentralNotice [<tvar name="3">https://github.com/wikimedia/operations-mediawiki-config/blob/47cfef8faf15d815994e865afb6133119e3c1490/wmf-config/CommonSettings.php#L2255-L2258</tvar> banner previews]</translate></ref>.<translate><!--T:80--> However, there are ongoing [[<tvar name="1">phab:T135963#4500035</tvar>|discussions]] to set CSP to enforce on all Wikimedia projects at some point in the future. Once it is in effect, CSP will also enforce this policy and bar user scripts and gadgets from loading third-party resources in production, unless those are covered by this policy's exemptions.</translate>
<translate><!--T:78--> Automated disabling involves disabling at the software or server level with no direct human intervention. In the current policy, automated disabling takes the form of [[<tvar name="1">phab:T28508</tvar>|Content Security Policy]] (CSP). CSP is a layer of security within the MediaWiki software which can prevent the loading of third-party resources. Currently, this feature does not block any third-party resources but is only enabled in report-only mode on some wikimedia projects.</translate><ref><translate><!--T:79--> MediaWiki's CSP is [<tvar name="1">https://github.com/wikimedia/operations-mediawiki-config/blob/47cfef8faf15d815994e865afb6133119e3c1490/wmf-config/InitialiseSettings.php#L11994-L12001</tvar> enabled] in report-only mode for [[<tvar name="2">wikitech:Deployments/Train#Groups</tvar>|group0 wikis]], outreachwiki and small wikis. It doesn't block any external resources anywhere EXCEPT for the CentralNotice [<tvar name="3">https://github.com/wikimedia/operations-mediawiki-config/blob/47cfef8faf15d815994e865afb6133119e3c1490/wmf-config/CommonSettings.php#L2255-L2258</tvar> banner previews]</translate></ref><translate><!--T:80--> However, there are ongoing [[<tvar name="1">phab:T135963#4500035</tvar>|discussions]] to set CSP to enforce on all Wikimedia projects at some point in the future. Once it is in effect, CSP will also enforce this policy and bar user scripts and gadgets from loading third-party resources in production, unless those are covered by this policy's exemptions.</translate>


<br />
<br />

Latest revision as of 08:45, 14 August 2023

Purpose

[edit]

Wikimedia users can use user scripts or gadgets, or stylesheets to augment the functionalities of a Wikimedia site. Some of those tools interact and share user data with computer resources which are located outside Wikimedia’s servers: third-party resources. This has sometimes contributed to account compromises and privacy issues. However, the Wikimedia Foundation’s Terms of Use forbid violating the privacy of others,[1][2] and further highlights that third-party resources are not endorsed or monitored by the Foundation.[3] To provide better privacy to Wikimedia users, the following policy complements the Foundation’s Terms of Use by covering the following aspects:

  • Risks related to user scripts and gadgets loading third-party resources
  • Best practices for script developers and gadget makers
  • Administrative and technical measures to enforce best practices
  • Particular conditions that may warrant exemptions

Definitions

[edit]

The following are definitions relevant to this policy:

  • Third-Party Resources: third-party resources are computer resources which are located outside Wikimedia production websites.[4] They may include but are not limited to: executable scripts, style sheets, image and font files, JSON/JSONP data.
  • Users: Visitors and editors of Wikimedia websites
  • Personal Information: Any information collected by a tool that could be used to personally identify you. For a more detailed definition, please refer to the Wikimedia Foundation’s main privacy policy.

Scope

[edit]

The current Third-Party Resources Policy applies to user scripts and user gadgets interacting with computer resources which are located outside Wikimedia production websites. This may include appearance userscripts, editing or anti-vandalism gadgets, to name a few, so long as those gadgets and user scripts make use of third-party resources.

Risks

[edit]

Information security

[edit]

When a gadget or a user script loads a third-party resource, it enables that resource to stand between a Wikimedia Site and a user’s data. While not all third-party resources are malicious, some can be used by their owners for a wide range of nefarious purposes. For instance, loading third-party resources could serve as a partial means to a cross-site scripting (XSS) attack, where the resource being loaded can, among other things, collect login information, impersonate a user's account and perform vandalism at scale. This can be particularly damaging for users with advanced rights such as administrators. The Foundation's Security team has seen real-world examples of this type of attack. Also, because the Wikimedia Foundation has no control over those external platforms, the personal information they collect can be inadvertently disclosed, willingly turned over to government authorities, or shared with third parties outside of the control of the user or the Foundation's.

User privacy and safety

[edit]

A gadget or user script which loads a third-party resource does more than just connecting to that resource. Gadgets or user scripts connecting to third-party resources may also share information about users, including the device they are using, their browser information, and location. This is particularly concerning for gadgets that are enabled by default on certain Wikimedia projects, since data sharing may go unnoticed. Additionally, if the third-party resource has tracking features, any gadgets or scripts loading it could result in users' behavior being scrutinized against their will or without their consent, reused for monetization, surveillance, or other undesired purposes. For a number of vulnerable users, this often means real-life consequences including harassment, identity theft, imprisonment, and physical harm.

Required precautions

[edit]

Do not load external resources

[edit]

Gadgets and user scripts must not load third-party resources. Developers of such tools should review their code to ensure it does not include any remote network connection (eg: HTTP, WebSocket) to a third-party resource.

Search for alternative scripts

[edit]

If applicable, gadget and user script developers must re-use resources that are already available on Wikimedia servers. By default, MediaWiki comes with a number of scripts or modules. Before considering any third-party resources, developers must explore whether there exist any MediaWiki modules or community-made user scripts that could achieve the same purpose. While re-using or improving scripts available within the community, it is also good practice to follow general guidelines on gadgets developments regarding pain points such as error handling and code maintenance.

Exemptions

[edit]

Opt-in exemption granted by users

[edit]

By default, gadgets and userscripts are not allowed to load non-production resources. However, users can authorize some gadgets and userscripts to load third-parties. In this case, users must opt-in — give their informed consent before using those specific gadgets and userscripts. While it is expected that users must express their consent through a flow similar to OAuth authorization, the practical implementation of this opt-in mechanism is purposely not written in detail in this policy. Instead, the opt-in exemption principle is referenced here to support the practical implementation once it is in place.[5]

Additional transparency requirements

[edit]

Although users' consent is required, a third-party resource must also meet a number of transparency conditions before being embedded in gadgets and userscripts. To be exempted, an external resource must:

  • Have its source code public and referenced at Third-party resources policy/Noticeboard, alongside an up-to-date description of the personal information processed, and a point of contact for raising issues. This will help ensure public scrutiny and some auditability of the resource.
  • If the third-party resource is hosted on Wikimedia Cloud Services code, its code should comply with WMCS terms of use. Also, its code must be inspectable — the WMCS resource developer must ensure that the code hosted on WMCS is human-readable, except for configuration files containing credentials. This will ensure that automated code scanning and other auditing mechanisms can be carried out for better security and privacy.

Enforcement

[edit]

If the use of third-party resources results in the violation of this policy, two sets of actions can help safeguard the privacy of end-users: manual removal and automated disabling.

Manual removal

[edit]

Manual removal involves a direct intervention by Wikimedia users.

If you hold sufficient permissions and come across a gadget or user script which violates this policy, you can proceed in blanking the page and notify its author with a message on their talk page. If you are unsure whether you should remove the gadget or user script, please report it to an Administrator or Steward or send an email to the Foundation’s Security team (security-team[at]wikimedia.org).

Automated disabling through CSP

[edit]

Automated disabling involves disabling at the software or server level with no direct human intervention. In the current policy, automated disabling takes the form of Content Security Policy (CSP). CSP is a layer of security within the MediaWiki software which can prevent the loading of third-party resources. Currently, this feature does not block any third-party resources but is only enabled in report-only mode on some wikimedia projects.[6]However, there are ongoing discussions to set CSP to enforce on all Wikimedia projects at some point in the future. Once it is in effect, CSP will also enforce this policy and bar user scripts and gadgets from loading third-party resources in production, unless those are covered by this policy's exemptions.


  1. Art 4 of the Foundation's Terms of Use, https://foundation.wikimedia.org/wiki/Terms_of_Use/en#4._Refraining_from_Certain_Activities
  2. The Wikimedia Foundation’s Privacy Policy does not cover how third parties handle the information they receive. See What This Privacy Policy Does & Doesn't Cover section of the Privacy Policy
  3. Art 9 of the Foundation's Terms of Use, https://foundation.wikimedia.org/wiki/Terms_of_Use/en#9._Third-party_Websites_and_Resources
  4. The term "production" has traditionally been used to identify core projects, technical sites, Foundation websites, and a number of Wikimedia community sites. See Complete list of Wikimedia projects.
  5. It is worth noting that an opt-in exemption based on CSP was proposed in the past, see https://phabricator.wikimedia.org/T208188
  6. MediaWiki's CSP is enabled in report-only mode for group0 wikis, outreachwiki and small wikis. It doesn't block any external resources anywhere EXCEPT for the CentralNotice banner previews