WordPress.org

Make WordPress Core

Opened 14 months ago

Last modified 4 months ago

#44001 new enhancement

oEmbed two click / local emoji scripts

Reported by: yoursql719 Owned by:
Milestone: Awaiting Review Priority: normal
Severity: major Version: 4.9.6
Component: Privacy Keywords: needs-patch
Focuses: Cc:

Description

Hi,

the first beta release 4.9.6 has a few optimziations due to the GDPR, but I think, WordPress is missing two very relevant features. With the latest beta release, WordPress would not be legal for use within the EU - except you´re using WordPress as private notepad!

1) oEmbed two click solution: similar to the shariff plugin, all embedded items via the core WordPress oEmbed function need a two click privacy. Only when the user first clicks on the embedded item, the scripts should be active and the user can view / listen to the embedded item.

2) The emoji script is loaded from Automaticc. There is no possibility to disable this behaviour or the best would be: load all scripts locally. This is one of the relevant of GDPR: you cannot tell your users or lawyers, why it is relevant for using your site, when specific scripts like emoji are loaded from a CDN. There is no need for a CDN.

It would be great, if you could still imagine to implement those both things, because they are rather important than a general privacy policy page, which the most users of WordPress had already created as a single page. And I think not all related core features needs an extra plugin, when it´s time to develop the core further. WordPress should go ahead and implement more features to the core than letting even more plugins used for a proper website.

Thanks and regards,

Change History (12)

#1 @swissspidy
14 months ago

  • Keywords gdpr added

#2 follow-up: @swissspidy
14 months ago

The emoji script is loaded from Automaticc

The emoji stuff is loaded from the WordPress.org CDN. It has nothing to do with the company Automattic.

As for the suggestions: IANAL, but I don't think these steps are necessary for GDPR compliance. But I leave that for the experts to decide.

#3 in reply to: ↑ 2 @yoursql719
14 months ago

Replying to swissspidy:

The emoji script is loaded from Automaticc

The emoji stuff is loaded from the WordPress.org CDN. It has nothing to do with the company Automattic.

Thanks for clarification. Even loading a script from a CDN must be clarified, if this CDN stores any user cookies / informations. Till now there is no information about what infos are stored to the wordpress servers everytime this script is loaded.

As for the suggestions: IANAL, but I don't think these steps are necessary for GDPR compliance. But I leave that for the experts to decide.

I can show you several posts about this problem and it is very relevant and one of the main parts of the GDPR: youtube and other providers stores cookies, when an user is accessing your site. Therefore it is not enough only to tell the user, that you´re doing this. You need the user to have a choise, wether he would like the see the video or not. It should NOT be loaded whithout any kind of opt in.
This is especially a german jurisdiction problem and yes if affects the e-privacy law partly, which comes with 2019, but some parts will be relevant on the may 25th.

#4 follow-up: @TimothyBlynJacobs
14 months ago

See also #43713

#5 in reply to: ↑ 4 @yoursql719
14 months ago

Replying to TimothyBlynJacobs:

See also #43713

Thanks. It´s a similar topic, but removing makes no sense. A two click option would be the best: what should happen to already embedded content? Disabling oEmbed in backend would be the worst solution ever.

This ticket was mentioned in Slack in #gdpr-compliance by allendav. View the logs.


14 months ago

#7 @desrosj
13 months ago

  • Component changed from General to Privacy

Moving to the new Privacy component.

This ticket was mentioned in Slack in #core-privacy by desrosj. View the logs.


13 months ago

#9 @desrosj
12 months ago

  • Summary changed from GDPR: oEmbed two click / local emoji scripts to oEmbed two click / local emoji scripts
  • Version changed from 4.9.5 to 4.9.6

#10 @desrosj
11 months ago

  • Keywords gdpr removed

Removing the GDPR keyword. This has been replaced by the new Privacy component and privacy focuses in Trac.

This ticket was mentioned in Slack in #core-privacy by garrett-eclipse. View the logs.


5 months ago

#12 @garrett-eclipse
4 months ago

The emoji script loaded via s.w.org was flagged again recently in #46343 and discussed a little in #core-privacy. We agree it should be bundled so it's loaded locally rather than from the external call.

If that is the direction things move for V2 of the privacy roadmap then there'd be no need to prefetch the domain which is raised a couple times;
#40426
#37788

Note: See TracTickets for help on using tickets.