[wp-trac] [WordPress Trac] #51092: Create a JSON schema for Privacy and Other Related Disclosures
WordPress Trac
noreply at wordpress.org
Fri Aug 21 09:44:20 UTC 2020
#51092: Create a JSON schema for Privacy and Other Related Disclosures
----------------------------------+--------------------------------
Reporter: carike | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: 5.6
Component: Privacy | Version: trunk
Severity: normal | Resolution:
Keywords: needs-privacy-review | Focuses: rest-api, privacy
----------------------------------+--------------------------------
Description changed by carike:
Old description:
> **Background:**
>
> The Disclosures Tab is an initiative that is underway in the Core Privacy
> Team.
> The aim is to help site owners / admins better understand what
> information their site (plugins, themes and Core) collects, where the
> information is stored and where it is sent - and in particular, who it is
> shared with.
> We hope to help site owners / admins make more informed privacy choices
> (e.g. when choosing which plugin to install) and to better understand
> their risk profile when it comes to privacy.
> For the most part, the actual "controlling" is planned for a sibling
> plugin, the Permissions Tab, which is not currently intended to be merged
> into Core, as this will contain more advanced settings.
> You can read more about the various privacy initiatives here:
> https://make.wordpress.org/core/2020/08/19/minutes-core-privacy-
> meeting-19-august-2020/
>
> **The Challenge:**
>
> Free-form disclosures in the readme.txt would create a lot of additional
> work for the plugins review team.
> Moreover, it makes it near impossible to compare across plugins, or to
> use the information in any sort of automated process.
> The Disclosures Tab seeks to standardize the way that plugin, theme
> authors and Core can disclose privacy and other related concerns to site
> owners / admins, by creating quasi-"headers" and limiting the acceptable
> values for each.
>
> **The Solution:**
>
> Timothy suggested that each plugin could have a privacy.json file, which
> could then be read by Core (and Meta) using relatively simple REST API
> functionality.
> As all items are not strictly privacy related, the file will be called
> disclosures.json instead.
>
> This ticket proposes a JSON schema. Future tickets will deal with the
> validation and the display respectively.
> In its current form, the JSON schema does not set any fields as
> "required".
> As URLs are not one of the six data types accepted by JSON, these types
> have been set as "string"s. However, in the ticket to follow this one,
> the validation of the schema should include appropriate validation of the
> URLs.
>
> {{{#!php
> <?php
> {
> "$schema": "https://core.trac.wordpress.org/to.be.filled.in.later",
> "$id":
> "https://example.com/to.be.filled.in.later.disclosures.tab.json",
> "description": "The vision of the Disclosures Tab is for site
> administrators to understand their site's privacy risk profile and to
> make more informed privacy-related choices as a result. The mission of
> the Disclosures Tab is to help site administrators understand what
> information their site collects, where it is stored and where it is sent
> - and in particular, with whom it is shared.",
> "type": "object",
> "properties": {
> "identification": {
> "type": "object",
> "properties": {
> "component": {
> "description": "Please enter one of the following values:
> plugin, theme, Core",
> "type": "string"
> },
> "slug": {
> "description": "Please supply the slug, if the code
> relates to a plugin or a theme.",
> "type": "string"
> }
> }
> },
> "externalNetworkCalls": {
> "description": "Please enter a comma-separated list of URLs
> containing the links to the Privacy Policies of the sites to which the
> external calls are being made.",
> "type": "object",
> "properties": {
> "PHP": {
> "type": "string"
> },
> "JavaScript": {
> "type": "string"
> },
> "CSS": {
> "type": "string"
> }
> }
> },
> "SaaS": {
> "description": "Please provide a comma-separated list of URLs to
> the Terms of Service of any instances of Software as a Service.",
> "type": "string"
> },
> "ExternalAPICalls": {
> "description": "Please provide a comma-separated list of URLs to
> the Terms of Service of any external API being used.",
> "type": "string"
> },
> "APIEndpoints": {
> "description": "Please provide a comma-separated list of URLs
> for any internal API endpoints that are created by the code using
> example.com as the domain."
> "type": "string"
> },
> "RemoteAssets": {
> "description": "Please provide a comma-separated list of URLs to
> the license that applies to the use of each remote asset. This relates to
> the use of CDNs for images, fonts, etc.",
> "type": "string"
> },
> "LocalAssetLicenses": {
> "description": "Please provide a comma-separated list of URLs to
> the license that applies to the use of each asset that has been included
> locally. This includes the license of the code, as well as the licenses
> of any images, fonts, etc.",
> "type": "string"
> },
> "setsCookies": {
> "type": "object",
> "properties": {
> "PHP": {
> "description": "Please provide the names of any cookies
> that have been set using PHP.",
> "type": "string"
> },
> "JavaScript": {
> "description": "Please provide the names of any cookies
> that have been set using JavaScript.",
> "type": "string"
> }
> }
> },
> "WritesToDB": {
> "description": "Please indicate TRUE / FALSE to whether the code
> writes any data to the database.",
> "type": "boolean"
> },
> "CreatesCustomPostTypes": {
> "description": "Please indicate TRUE / FALSE as to whether the
> code creates any Custom Post Types",
> "type": "boolean"
> },
> "CreatesCustomTables": {
> "description": "Please indicate TRUE / FALSE as to whether the
> code creates any custom tables in the database.",
> "type": "boolean"
> },
> "StoresPPI": {
> "description": "Please indicate TRUE / FALSE as to whether the
> code stores any Protected Personal Information.",
> "type": "boolean"
> },
> "CompatibilityWithPrivacyTools": {
> "type": "object",
> "properties": {
> "PPIExport": {
> "description": "Do you as a developer consider the code to
> be compatible with the PPI Export Tool in WordPress?",
> "type": "boolean"
> },
> "PPIErasure": {
> "description": "Do you as a developer consider the code to
> be compatible with the PPI Erasure Tool in WordPress?",
> "type": "boolean"
> },
> "ConsentAPI": {
> "description": "Do you as a developer consider the code to
> be compatible with the WordPress Consent API?",
> "type": "boolean"
> },
> "DisclosuresTab": {
> "description": "Do you as a developer consider the code to
> be compatible with the Disclosure Tab?",
> "type": "boolean"
> },
> "PermissionsTab": {
> "description": "Do you as a developer consider the code to
> be compatible with the Permissions Tab?",
> "type": "boolean"
> }
> }
> }
New description:
**Background:**
The Disclosures Tab is an initiative that is underway in the Core Privacy
Team.
The aim is to help site owners / admins better understand what information
their site (plugins, themes and Core) collects, where the information is
stored and where it is sent - and in particular, who it is shared with.
We hope to help site owners / admins make more informed privacy choices
(e.g. when choosing which plugin to install) and to better understand
their risk profile when it comes to privacy.
For the most part, the actual "controlling" is planned for a sibling
plugin, the Permissions Tab, which is not currently intended to be merged
into Core, as this will contain more advanced settings.
You can read more about the various privacy initiatives here:
https://make.wordpress.org/core/2020/08/19/minutes-core-privacy-
meeting-19-august-2020/
**The Challenge:**
Free-form disclosures in the readme.txt would create a lot of additional
work for the plugins review team.
Moreover, it makes it near impossible to compare across plugins, or to use
the information in any sort of automated process.
The Disclosures Tab seeks to standardize the way that plugin, theme
authors and Core can disclose privacy and other related concerns to site
owners / admins, by creating quasi-"headers" and limiting the acceptable
values for each.
**The Solution:**
Timothy suggested that each plugin could have a privacy.json file, which
could then be read by Core (and Meta) using relatively simple REST API
functionality.
As all items are not strictly privacy related, the file will be called
disclosures.json instead.
This ticket proposes a JSON schema. Future tickets will deal with the
validation and the display respectively.
In its current form, the JSON schema does not set any fields as
"required".
As URLs are not one of the six data types accepted by JSON, these types
have been set as "string"s. However, in the ticket to follow this one, the
validation of the schema should include appropriate validation of the
URLs.
{{{#!php
<?php
{
"$schema": "https://core.trac.wordpress.org/to.be.filled.in.later",
"$id":
"https://example.com/to.be.filled.in.later.disclosures.tab.json",
"description": "The vision of the Disclosures Tab is for site
administrators to understand their site's privacy risk profile and to make
more informed privacy-related choices as a result. The mission of the
Disclosures Tab is to help site administrators understand what information
their site collects, where it is stored and where it is sent - and in
particular, with whom it is shared.",
"type": "object",
"properties": {
"identification": {
"type": "object",
"properties": {
"component": {
"description": "Please enter one of the following values:
plugin, theme, Core",
"type": "string"
},
"slug": {
"description": "Please supply the slug, if the code relates
to a plugin or a theme.",
"type": "string"
}
}
},
"externalNetworkCalls": {
"description": "Please enter a comma-separated list of URLs
containing the links to the Privacy Policies of the sites to which the
external calls are being made.",
"type": "object",
"properties": {
"PHP": {
"type": "string"
},
"JavaScript": {
"type": "string"
},
"CSS": {
"type": "string"
}
}
},
"SaaS": {
"description": "Please provide a comma-separated list of URLs to
the Terms of Service of any instances of Software as a Service.",
"type": "string"
},
"ExternalAPICalls": {
"description": "Please provide a comma-separated list of URLs to
the Terms of Service of any external API being used.",
"type": "string"
},
"APIEndpoints": {
"description": "Please provide a comma-separated list of URLs for
any internal API endpoints that are created by the code using example.com
as the domain."
"type": "string"
},
"RemoteAssets": {
"description": "Please provide a comma-separated list of URLs to
the license that applies to the use of each remote asset. This relates to
the use of CDNs for images, fonts, etc.",
"type": "string"
},
"LocalAssetLicenses": {
"description": "Please provide a comma-separated list of URLs to
the license that applies to the use of each asset that has been included
locally. This includes the license of the code, as well as the licenses of
any images, fonts, etc.",
"type": "string"
},
"setsCookies": {
"type": "object",
"properties": {
"PHP": {
"description": "Please provide the names of any cookies
that have been set using PHP.",
"type": "string"
},
"JavaScript": {
"description": "Please provide the names of any cookies
that have been set using JavaScript.",
"type": "string"
}
}
},
"DatabaseManagement": {
"type": "object",
"properties": {
"WritesToDB": {
"description": "Please indicate TRUE / FALSE to whether the
code writes any data to the database.",
"type": "boolean"
},
"CreatesCustomPostTypes": {
"description": "Please indicate TRUE / FALSE as to whether
the code creates any Custom Post Types",
"type": "boolean"
},
"CreatesCustomTables": {
"description": "Please indicate TRUE / FALSE as to whether
the code creates any custom tables in the database.",
"type": "boolean"
}
}
},
"StoresPPI": {
"description": "Please indicate TRUE / FALSE as to whether the
code stores any Protected Personal Information.",
"type": "boolean"
},
"CompatibilityWithPrivacyTools": {
"type": "object",
"properties": {
"PPIExport": {
"description": "Do you as a developer consider the code to
be compatible with the PPI Export Tool in WordPress?",
"type": "boolean"
},
"PPIErasure": {
"description": "Do you as a developer consider the code to
be compatible with the PPI Erasure Tool in WordPress?",
"type": "boolean"
},
"ConsentAPI": {
"description": "Do you as a developer consider the code to
be compatible with the WordPress Consent API?",
"type": "boolean"
},
"DisclosuresTab": {
"description": "Do you as a developer consider the code to
be compatible with the Disclosure Tab?",
"type": "boolean"
},
"PermissionsTab": {
"description": "Do you as a developer consider the code to
be compatible with the Permissions Tab?",
"type": "boolean"
}
}
}
--
--
Ticket URL: <https://core.trac.wordpress.org/ticket/51092#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list