Third-party resources policy

Purpose

Wikimedia users can use user scripts or gadgets, or stylesheets to augment the functionalities of a Wikimedia site. Some of those tools interact and share user data with computer resources which are located outside Wikimedia’s servers: third-party resources. This has sometimes contributed to account compromises and privacy issues. However, the Wikimedia Foundation’s Terms of Use forbid violating the privacy of others,[1][2] and further highlights that third-party resources are not endorsed or monitored by the Foundation.[3] To provide better privacy to Wikimedia users, the following policy complements the Foundation’s Terms of Use by covering the following aspects:

  • Risks related to user scripts and gadgets loading third-party resources
  • Best practices for script developers and gadget makers
  • Administrative and technical measures to enforce best practices
  • Particular conditions that may warrant exemptions

Definitions

The following are definitions relevant to this policy:

  • Third-Party Resources: third-party resources are computer resources which are located outside Wikimedia production websites.[4] They may include but are not limited to: executable scripts, style sheets, image and font files, JSON/JSONP data.
  • Users: Visitors and editors of Wikimedia websites
  • Personal Information: Any information collected by a tool that could be used to personally identify you. For a more detailed definition, please refer to the Wikimedia Foundation’s main privacy policy.

Scope

The current Third-Party Resources Policy applies to user scripts and user gadgets interacting with computer resources which are located outside Wikimedia production websites. This may include appearance userscripts, editing or anti-vandalism gadgets, to name a few, so long as those gadgets and user scripts make use of third-party resources.

Risks

Information security

When a gadget or a user script loads a third-party resource, it enables that resource to stand between a Wikimedia Site and a user’s data. While not all third-party resources are malicious, some can be used by their owners for a wide range of nefarious purposes. For instance, loading third-party resources could serve as a partial means to a cross-site scripting (XSS) attack, where the resource being loaded can, among other things, collect login information, impersonate a user's account and perform vandalism at scale. This can be particularly damaging for users with advanced rights such as administrators. The Foundation's Security team has seen real-world examples of this type of attack. Also, because the Wikimedia Foundation has no control over those external platforms, the personal information they collect can be inadvertently disclosed, willingly turned over to government authorities, or shared with third parties outside of the control of the user or the Foundation's.

User privacy and safety

A gadget or user script which loads a third-party resource does more than just connecting to that resource. Gadgets or user scripts connecting to third-party resources may also share information about users, including the device they are using, their browser information, and location. This is particularly concerning for gadgets that are enabled by default on certain Wikimedia projects, since data sharing may go unnoticed. Additionally, if the third-party resource has tracking features, any gadgets or scripts loading it could result in users' behavior being scrutinized against their will or without their consent, reused for monetization, surveillance, or other undesired purposes. For a number of vulnerable users, this often means real-life consequences including harassment, identity theft, imprisonment, and physical harm.

Required precautions

Do not load external resources

Gadgets and user scripts must not load third-party resources. Developers of such tools should review their code to ensure it does not include any remote network connection (eg: HTTP, WebSocket) to a third-party resource.

Search for alternative scripts

If applicable, gadget and user script developers must re-use resources that are already available on Wikimedia servers. By default, MediaWiki comes with a number of scripts or modules. Before considering any third-party resources, developers must explore whether there exist any MediaWiki modules or community-made user scripts that could achieve the same purpose. While re-using or improving scripts available within the community, it is also good practice to follow general guidelines on gadgets developments regarding pain points such as error handling and code maintenance.

Exemptions

Opt-in exemption granted by users

By default, gadgets and userscripts are not allowed to load non-production resources. However, users can authorize some gadgets and userscripts to load third-parties. In this case, users must opt-in — give their informed consent before using those specific gadgets and userscripts. While it is expected that users must express their consent through a flow similar to OAuth authorization, the practical implementation of this opt-in mechanism is purposely not written in detail in this policy. Instead, the opt-in exemption principle is referenced here to support the practical implementation once it is in place.[5]

Additional transparency requirements

Although users' consent is required, a third-party resource must also meet a number of transparency conditions before being embedded in gadgets and userscripts. To be exempted, an external resource must:

  • Have its source code public and referenced at Third-party resources policy/Noticeboard, alongside an up-to-date description of the personal information processed, and a point of contact for raising issues. This will help ensure public scrutiny and some auditability of the resource.
  • If the third-party resource is hosted on Wikimedia Cloud Services code, its code should comply with WMCS terms of use. Also, its code must be inspectable — the WMCS resource developer must ensure that the code hosted on WMCS is human-readable, except for configuration files containing credentials. This will ensure that automated code scanning and other auditing mechanisms can be carried out for better security and privacy.

Enforcement

If the use of third-party resources results in the violation of this policy, two sets of actions can help safeguard the privacy of end-users: manual removal and automated disabling.

Manual removal

Manual removal involves a direct intervention by Wikimedia users.

If you hold sufficient permissions and come across a gadget or user script which violates this policy, you can proceed in blanking the page and notify its author with a message on their talk page. If you are unsure whether you should remove the gadget or user script, please report it to an Administrator or Steward or send an email to the Foundation’s Security team (security-team[at]wikimedia.org).

Automated disabling through CSP

Automated disabling involves disabling at the software or server level with no direct human intervention. In the current policy, automated disabling takes the form of Content Security Policy (CSP). CSP is a layer of security within the MediaWiki software which can prevent the loading of third-party resources. Currently, this feature does not block any third-party resources but is only enabled in report-only mode on some wikimedia projects.[6]However, there are ongoing discussions to set CSP to enforce on all Wikimedia projects at some point in the future. Once it is in effect, CSP will also enforce this policy and bar user scripts and gadgets from loading third-party resources in production, unless those are covered by this policy's exemptions.


  1. Art 4 of the Foundation's Terms of Use, https://foundation.wikimedia.org/wiki/Terms_of_Use/en#4._Refraining_from_Certain_Activities
  2. The Wikimedia Foundation’s Privacy Policy does not cover how third parties handle the information they receive. See What This Privacy Policy Does & Doesn't Cover section of the Privacy Policy
  3. Art 9 of the Foundation's Terms of Use, https://foundation.wikimedia.org/wiki/Terms_of_Use/en#9._Third-party_Websites_and_Resources
  4. The term "production" has traditionally been used to identify core projects, technical sites, Foundation websites, and a number of Wikimedia community sites. See Complete list of Wikimedia projects.
  5. It is worth noting that an opt-in exemption based on CSP was proposed in the past, see https://phabricator.wikimedia.org/T208188
  6. MediaWiki's CSP is enabled in report-only mode for group0 wikis, outreachwiki and small wikis. It doesn't block any external resources anywhere EXCEPT for the CentralNotice banner previews