Thanks, that clarifies matters for me. I wasn't aware of #1, though I guess upon reflection that makes sense.
-Mike
On Thu, 2009-06-04 at 11:07 -0400, Gregory Maxwell wrote:
On Thu, Jun 4, 2009 at 11:01 AM, Mike.lifeguard mikelifeguard@fastmail.fm wrote:
On Thu, 2009-06-04 at 15:34 +0100, David Gerard wrote:
Then external site loading can be blocked.
Why do we need to block loading from all external sites? If there are specific & problematic ones (like google analytics) then why not block those?
Because:
(1) External loading results in an uncontrolled leak of private reader and editor information to third parties, in contravention of the privacy policy as well as basic ethical operating principles.
(1a) most external loading script usage will also defeat users choice of SSL and leak more information about their browsing to their local network. It may also bypass any wikipedia specific anonymization proxies they are using to keep their reading habits private.
(2) External loading produces a runtime dependency on third party sites. Some other site goes down and our users experience some kind of loss of service.
(3) The availability of external loading makes Wikimedia a potential source of very significant DDOS attacks, intentional or otherwise.
Thats not to say that there aren't reasons to use remote loading, but the potential harms mean that it should probably be a default-deny permit-by-exception process rather than the other way around.