WordPress.org

Make WordPress Core

Opened 19 months ago

Closed 17 months ago

Last modified 15 months ago

#43631 closed defect (bug) (wontfix)

Contents of About page hosted on third party server

Reported by: Ov3rfly Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Privacy Keywords: gdpr
Focuses: Cc:
PR Number:

Description

As pointed out by @SergeyBiryukov in #41316, the About page of WordPress shows content which is hosted on a third party server.

The About page is linked in admin bar of any user role, including subscribers.

The current user IP address and browser information is sent to a third party by visiting that page.

This might be an issue for #gdpr-compliance.

Change History (11)

#1 @Ov3rfly
19 months ago

  • Keywords gdpr added

#2 @SergeyBiryukov
19 months ago

  • Component changed from General to Help/About

#3 @azaozz
19 months ago

  • Keywords close added

Don't think using a CDN has anything to do with GDPR.

The current user IP address and browser information is sent to a third party by visiting that page.

Right, that is how Internet works? How is that any different than visiting the front-end of the site? :)

Visiting any page on any site on the Internet sends your IP address and browser UA to all the routers on the way to the site's server(s). This may be to another country or even to another continent. In addition your internet provider or other network providers on the way to the site's server(s) may redirect your request to a caching service of their choice. You as a user have no control over this.

#4 @Ov3rfly
17 months ago

  • Keywords close removed

#5 @desrosj
17 months ago

  • Component changed from Help/About to Privacy

Moving to the new Privacy component.

This ticket was mentioned in Slack in #gdpr-compliance by desrosj. View the logs.


17 months ago

#7 @allendav
17 months ago

I recommend a hook to disable that phone home - if an admin wants to privacy harden that far, that hook would support that.

This ticket was mentioned in Slack in #gdpr-compliance by desrosj. View the logs.


17 months ago

#9 @desrosj
17 months ago

  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed

After discussing this during the recent bug scrub, for now, it's something that is plugin territory. The About page is not explicitly sending the IP as data.

If this level of hardening is desired, the admin_init hook can be used to redirect users to an alternate about page, and the URL in the admin bar can be changed in a number of ways.

This ticket was mentioned in Slack in #core-privacy by desrosj. View the logs.


17 months ago

#11 @Ov3rfly
15 months ago

As there seems to be confusion about this matter:

The core about page (and other core features like #41316) include content from third party server.

This inclusion provides the user IP, browserinfo, website-url via referer to a third party.

This behaviour voids #core-privacy (formerly known as #gdpr-compliance).

GDPR clearly defines 'personal data' and that you need to a) inform the user what happens with this data and b) obtain user consent for sharing this data with third parties.

Providing a GDPR compliant WordPress core is not about a "desired level of hardening", "plugin territory" or "thinking a CDN has nothing to do with GDPR", it is about complying with the existing laws.

WordPress core in its current state is not GDPR compliant.

Note: See TracTickets for help on using tickets.