[Foundation-l] Guidelines for the use of iframes?

MZMcBride z at mzmcbride.com
Thu Mar 15 23:20:06 UTC 2012 

Erik Moeller wrote:
> The rationale for the iframe is to automate the job listings on the
> WMF site and surface the various Jobvite features.

Right. But any feature comes with an associated cost. :-)

> Yes, that means that the user's browser will contact hire.jobvite.com
> when loading the page (although all its resources will be loaded in
> the context of the iframe). AFAICT the main issue here is to clarify
> in the footer that job applications and job descriptions are run
> through an external service called Jobvite and subject to the Jobvite
> privacy policy, to avoid any confusion.

Well, it's a lot more than that, surely. It reads to me like you're kind of
down-playing the implications when you say "yes, that means the user's
browser will contact hire.jobvite.com." This particular data is treated as
sacrosanct within the Wikimedia community (for better or worse). <iframe>s
have serious privacy and security issues. If they didn't, they'd be an
awfully convenient tool for implementing all kinds of neat ideas both
between Wikimedia wikis and between Wikimedia wikis and the outside world.
But they're banned in MediaWiki by default (with good reason).

Through a loophole (allowing raw HTML on wikimediafoundation.org), they're
allowed in this specific case, but it's a matter of figuring out whether
Jobvite's privacy policy is compatible with Wikimedia Foundation's, I think.

> Whether the iframe is a good idea still remains to be seen.

Indeed. I've commented out the iframe for now while discussion continues.
Once there's a clearer understanding of the implications of using this code
and whether this particular third-party's policy is compatible with
Wikimedia's.

I say "compatible" as it's a passive read action of wikimediafoundation.org
that will trigger data being sent to Jobvite. Adding a footer might be nice,
but if the user doesn't consent to Jobvite's privacy policy, simply reading
wikimediafoundation.org has already sent their data to the other server,
correct? In my mind, that means a footer or additional warning text is
insufficient.

MZMcBride

More information about the foundation-l mailing list