[wp-trac] [WordPress Trac] #51092: Create a JSON schema for Privacy and Other Related Disclosures
WordPress Trac
noreply at wordpress.org
Wed Aug 26 16:39:13 UTC 2020
#51092: Create a JSON schema for Privacy and Other Related Disclosures
----------------------------------+--------------------------------
Reporter: carike | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: 5.6
Component: Privacy | Version: trunk
Severity: normal | Resolution:
Keywords: needs-privacy-review | Focuses: rest-api, privacy
----------------------------------+--------------------------------
Description changed by carike:
Old description:
> **Background:**
>
> The Disclosures Tab is an initiative that is underway in the Core Privacy
> Team.
> The aim is to help site owners / admins better understand what
> information their site (plugins, themes and Core) collects, where the
> information is stored and where it is sent - and in particular, who it is
> shared with.
> We hope to help site owners / admins make more informed privacy choices
> (e.g. when choosing which plugin to install) and to better understand
> their risk profile when it comes to privacy.
> For the most part, the actual "controlling" is planned for a sibling
> plugin, the Permissions Tab, which is not currently intended to be merged
> into Core, as this will contain more advanced settings.
> You can read more about the various privacy initiatives here:
> https://make.wordpress.org/core/2020/08/19/minutes-core-privacy-
> meeting-19-august-2020/
>
> **The Challenge:**
>
> Free-form disclosures in the readme.txt would create a lot of additional
> work for the plugins review team.
> Moreover, it makes it near impossible to compare across plugins, or to
> use the information in any sort of automated process.
> The Disclosures Tab seeks to standardize the way that plugin, theme
> authors and Core can disclose privacy and other related concerns to site
> owners / admins, by creating quasi-"headers" and limiting the acceptable
> values for each.
>
> **The Solution:**
>
> Timothy suggested that each plugin could have a privacy.json file, which
> could then be read by Core (and Meta) using relatively simple REST API
> functionality.
> As all items are not strictly privacy related, the file will be called
> disclosures.json instead.
>
> This ticket proposes a JSON schema. Future tickets will deal with the
> validation and the display respectively.
> In its current form, the JSON schema does not set any fields as
> "required".
> As URLs are not one of the six data types accepted by JSON, these types
> have been set as "string"s. The format has been set to "uri-reference" to
> allow for relative URLs.
> In the ticket to follow this one, the validation of the schema should
> include appropriate validation of the URLs in PHP.
> Further tickets should include ones to update WP-CLI and WordPress.org to
> make the strings translatable. Thanks to Swissspidy for the comment
> below!
>
> {{{#!php
> <?php
> {
> "$schema": "https://core.trac.wordpress.org/ticket/51092",
> "$id": "https://example.com/to.be.filled.in.later.disclosures.json",
> "description": "The vision of the Disclosures Tab is for site
> administrators to understand their site's privacy risk profile and to
> make more informed privacy-related choices as a result. The mission of
> the Disclosures Tab is to help site administrators understand what
> information their site collects, where it is stored and where it is sent
> - and in particular, with whom it is shared.",
> "type": "object",
> "properties": {
> "details": {
> "type": "object",
> "properties": {
> "component": {
> "description": "Please enter one of the following values:
> plugin, theme, or the specific Core component",
> "type": "string"
> },
> "slug": {
> "description": "Please supply the slug, if the code
> relates to a plugin or a theme.",
> "type": "string"
> },
> "version": {
> "description": "Please supply which version of
> disclosures.json this represents for the individual component.",
> "type": "string"
> },
> "since": {
> "description": "Please supply the plugin or theme's
> version number, or the Core version, if the component is a Core
> component, which introduced the current version of this disclosures.json
> file, i.e. this should represent the since value.",
> "type": "string"
> }
> }
> },
> "licenses": {
> "type": "object",
> "properties": {
> "code": {
> "description": "Please provide a URL to the license that
> applies to this component (plugin, theme, or Core component)'s use.",
> "type": "string"
> },
> "localAssets": {
> "description": "Please provide a comma-separated list of
> URLs to the license that applies to the use of each asset that has been
> included locally. This includes the license of any bundled libraries, as
> well as the licenses of any images, fonts, etc.",
> "type": "array",
> "items": {
> "type": "string",
> "format": "uri-reference"
> },
> "uniqueItems": true
> },
> "remoteAssets": {
> "description": "Please provide a comma-separated list of
> URLs to the license that applies to the use of each asset that is
> accessed remotely. This includes the licenses of any external libraries,
> as well as the licenses of any images, fonts, etc.",
> "type": "array",
> "items": {
> "type": "string",
> "format": "uri-reference"
> },
> "uniqueItems": true
> }
> }
> },
> "external": {
> "description": "A comma-separated list of URLs containing the
> links to the Privacy Policies of the sites to which the calls to external
> networks are being made.",
> "type": "object",
> "properties": {
> "PHP": {
> "description": "A comma-separated list of URLs of links to
> the respective Privacy Policies of the sites to which the external
> network calls are being made in PHP.",
> "type": "array",
> "items": {
> "type": "string",
> "format": "uri-reference"
> },
> "uniqueItems": true
> },
> "JavaScript": {
> "description": "A comma-separated list of URLs of links to
> the respective Privacy Policies of the sites to which the external
> network calls are being made in JavaScript.",
> "type": "array",
> "items": {
> "type": "string",
> "format": "uri-reference"
> },
> "uniqueItems": true
> },
> "CSS": {
> "description": "A comma-separated list of URLs of links to
> the respective Privacy Policies of the sites to which the external
> network calls are being made in CSS.",
> "type": "array",
> "items": {
> "type": "string",
> "format": "uri-reference"
> },
> "uniqueItems": true
> }
> }
> },
> "terms": {
> "type": "object"
> "description": "A comma-separated list to third party Terms and
> Conditions, if applicable.",
> "properties": {
> "SaaS": {
> "description": "A comma-separated list of URLs to the
> Terms of Service of any instances of Software as a Service.",
> "type": "array",
> "items": {
> "type": "string",
> "format": "uri-reference"
> },
> "uniqueItems": true
> },
> "externalAPIs": {
> "description": "A comma-separated list of URLs to the
> Terms of Service of any external API being used.",
> "type": "array",
> "items": {
> "type": "string",
> "format": "uri-reference"
> },
> "uniqueItems": true
> },
> "remoteAssets": {
> "description": "A comma-separated list of URLs to the
> Terms of Service that applies to the use of each remote asset. This
> relates to the use of CDNs for images, fonts, etc.",
> "type": "array",
> "items": {
> "type": "string",
> "format": "uri-reference"
> },
> "uniqueItems": true
> },
> "registration": {
> "description": "Please provide a comma-separated list of
> URLs to the Terms of Service that apply to any accounts that need to be
> registered in order to be able to make use of this component's code.",
> "type": "array",
> "items": {
> "type": "string",
> "format": "uri-reference"
> },
> "uniqueItems": true
> }
> }
> },
> "openWeb": {
> "type": "object",
> "description": "Details about mechanisms that allow others to
> obtain information from the site without browsing the website's front
> end.",
> "properties": {
> "apiEndpoints": {
> "description": "A comma-separated list of URLs for any
> internal API endpoints that are created by the code.",
> "type": "array",
> "items": {
> "type": "string",
> "format": "uri-reference"
> },
> "uniqueItems": true
> },
> "feeds": {
> "description": "A comma-separated list of URLs for any
> internal feeds that are created by the code.",
> "type": "array",
> "items": {
> "type": "string",
> "format": "uri-reference"
> },
> "uniqueItems": true
> }
> }
> },
> "clientSide": {
> "type": "object",
> "properties": {
> "setsCookiesPHP": {
> "description": "The names of any cookies that have been
> set using PHP.",
> "type": "array",
> "items": {
> "type": "string",
> },
> "uniqueItems": true
> },
> "setsCookiesJavaScript": {
> "description": "The names of any cookies that have been
> set using JavaScript.",
> "type": "array",
> "items": {
> "type": "string",
> },
> "uniqueItems": true
> },
> "usesLocalStorage": {
> "description": "Whether or not the code makes use of local
> storage.",
> "type": "boolean"
> }
> }
> },
> "database": {
> "type": "object",
> "properties": {
> "writesToDB": {
> "description": "Whether or not the code writes to the
> database.",
> "type": "object",
> "properties": {
> "auto": {
> "description": "Whether or not the code writes to
> the database in relation to information that is not explicitly input by a
> user.",
> "type": "boolean"
> },
> "manual": {
> "description": "Whether or not the code writes to
> the database that is not explicitly input by a user.",
> "type": "boolean"
> }
> }
> },
> "CPT": {
> "type": "object",
> "description": "Please indicate whether the component
> creates any Custom Post Types.",
> "properties": {
> "auto": {
> "description": "Please indicate the number of Custom
> Post Types that are automatically created by the code without user
> intervention.",
> "type": "integer",
> "minimum": 0
> },
> "manual": {
> "description": "Please indicate whether the code
> allows for users to generate Custom Post Types.",
> "type": "boolean"
> }
> }
> },
> "customTables": {
> "description": "Please indicate whether the code creates
> any custom tables in the database.",
> "type": "object",
> "properties": {
> "auto": {
> "description": "Please indicate the number of custom
> tables that are automatically created by the code without user
> intervention.",
> "type": "integer",
> "minimum": 0
> },
> "manual": {
> "description": "Please indicate whether the code
> allows the user to create any custom tables.",
> "type": "boolean"
> }
> }
> }
> }
> },
> "otherStorage": {
> "type": "object",
> "properties": {
> "writesToFiles": {
> "description": "A comma-separated list of file types the
> code writes to (e.g. .txt).",
> "type": "array",
> "items": {
> "type": "string",
> }
> },
> "fileStructure": {
> "description": "Whether or not the code makes changes to
> the website's file structure.",
> "type": "object",
> "properties": {
> "auto": {
> "description": "Whether or not the code makes
> changes, or is capable of making changes, to the website's file structure
> that are not explicitly initiated by a user. This does not include files
> that are added directly from the repository, or in the original .zip
> file.",
> "type": "boolean"
> },
> "manual": {
> "description": "Whether or not the code makes
> changes, or is capable of making changes, to the website's file structure
> that are explicitly initiated by the user. This does not include files
> that are added directly from the repository, or in the original .zip
> file.",
> }
> }
> }
> }
> },
> "ppi": {
> "description": "Please indicate TRUE / FALSE as to whether the
> code stores any Protected Personal Information.",
> "type": "boolean"
> },
> "compatibility": {
> "type": "object",
> "description": "Please indicate the component's compatibility
> with Privacy Tools.",
> "properties": {
> "ppiExport": {
> "description": "Does the developer, in good faith,
> consider the code to be compatible with the PPI Export Tool in
> WordPress?",
> "type": "boolean"
> },
> "ppiErasure": {
> "description": "Does the developer, in good faith,
> consider the code to be compatible with the PPI Erasure Tool in
> WordPress?",
> "type": "boolean"
> },
> "consentAPI": {
> "description": "Does the developer, in good faith,
> consider the code to be compatible with the WordPress Consent API?",
> "type": "boolean"
> },
> "disclosuresTab": {
> "description": "Do the developer, in good faith, consider
> the code to be compatible with the Disclosure Tab?",
> "type": "boolean"
> },
> "permissionsTab": {
> "description": "Do the developer, in good faith, consider
> the code to be compatible with the Permissions Tab?",
> "type": "boolean"
> }
> }
> },
> "monetization": {
> "type": "object",
> "description": "This section provides details regarding
> monetization practices.",
> "properties": {
> "upsells": {
> "description": "Does this code promote a paid version, or
> extensions, or other products or services from the same author(s)?",
> "type": "boolean"
> },
> "donations": {
> "description": "Does this code contain any request, or
> information in order to, donate to the plugin or its developer(s)?",
> "type": "boolean"
> },
> "backLinks": {
> "description": "Does this code contain or generate, or ask
> the site owner / admin for permission to generate, backlinks?",
> "type": "boolean"
> },
> "affiliates": {
> "description": "Does this code contain, or generate
> affiliate links - i.e. links from which the author may receive
> conditional compensation, whether in money, or in kind?",
> "type": "boolean"
> },
> "advertising": {
> "description": "Does the code contain, or generate
> promotions or recommendations for any products or services not directly
> under the control of the author(s), for which the author(s) receive any
> compensation, whether in money, or in kind?",
> "type": "boolean"
> }
> }
> }
> }
> }
New description:
**Background:**
The Disclosures Tab is an initiative that is underway in the Core Privacy
Team.
The aim is to help site owners / admins better understand what information
their site (plugins, themes and Core) collects, where the information is
stored and where it is sent - and in particular, who it is shared with.
We hope to help site owners / admins make more informed privacy choices
(e.g. when choosing which plugin to install) and to better understand
their risk profile when it comes to privacy.
For the most part, the actual "controlling" is planned for a sibling
plugin, the Permissions Tab, which is not currently intended to be merged
into Core, as this will contain more advanced settings.
You can read more about the various privacy initiatives here:
https://make.wordpress.org/core/2020/08/19/minutes-core-privacy-
meeting-19-august-2020/
**The Challenge:**
Free-form disclosures in the readme.txt would create a lot of additional
work for the plugins review team.
Moreover, it makes it near impossible to compare across plugins, or to use
the information in any sort of automated process.
The Disclosures Tab seeks to standardize the way that plugin, theme
authors and Core can disclose privacy and other related concerns to site
owners / admins, by creating quasi-"headers" and limiting the acceptable
values for each.
**The Solution:**
Timothy suggested that each plugin could have a privacy.json file, which
could then be read by Core (and Meta) using relatively simple REST API
functionality.
As all items are not strictly privacy related, the file will be called
disclosures.json instead.
This ticket proposes a JSON schema. Future tickets will deal with the
validation and the display respectively.
In its current form, the JSON schema does not set any fields as
"required".
As URLs are not one of the six data types accepted by JSON, these types
have been set as "string"s. The format has been set to "uri-reference" to
allow for relative URLs.
In the ticket to follow this one, the validation of the schema should
include appropriate validation of the URLs in PHP.
Further tickets should include ones to update WP-CLI and WordPress.org to
make the strings translatable. Thanks to Swissspidy for the comment below!
{{{#!php
<?php
{
"$schema": "https://core.trac.wordpress.org/ticket/51092",
"$id": "https://example.com/to.be.filled.in.later.disclosures.json",
"description": "The vision of the Disclosures Tab is for site
administrators to understand their site's privacy risk profile and to make
more informed privacy-related choices as a result. The mission of the
Disclosures Tab is to help site administrators understand what information
their site collects, where it is stored and where it is sent - and in
particular, with whom it is shared.",
"type": "object",
"properties": {
"details": {
"type": "object",
"properties": {
"component": {
"description": "Please enter one of the following values:
plugin, theme, or the specific Core component",
"type": "string"
},
"slug": {
"description": "Please supply the slug, if the code relates
to a plugin or a theme.",
"type": "string"
},
"version": {
"description": "Please supply which version of
disclosures.json this represents for the individual component.",
"type": "string"
},
"since": {
"description": "Please supply the plugin or theme's version
number, or the Core version, if the component is a Core component, which
introduced the current version of this disclosures.json file, i.e. this
should represent the since value.",
"type": "string"
}
}
},
}}}
{{{#!php
<?php
"licenses": {
"type": "object",
"properties": {
"code": {
"description": "Please provide a URL to the license that
applies to this component (plugin, theme, or Core component)'s use.",
"type": "string"
},
"localAssets": {
"description": "Please provide a comma-separated list of
URLs to the license that applies to the use of each asset that has been
included locally. This includes the license of any bundled libraries, as
well as the licenses of any images, fonts, etc.",
"type": "array",
"items": {
"type": "string",
"format": "uri-reference"
},
"uniqueItems": true
},
"remoteAssets": {
"description": "Please provide a comma-separated list of
URLs to the license that applies to the use of each asset that is accessed
remotely. This includes the licenses of any external libraries, as well as
the licenses of any images, fonts, etc.",
"type": "array",
"items": {
"type": "string",
"format": "uri-reference"
},
"uniqueItems": true
}
}
},
}}}
{{{#!php
<?php
"external": {
"description": "A comma-separated list of URLs containing the
links to the Privacy Policies of the sites to which the calls to external
networks are being made.",
"type": "object",
"properties": {
"PHP": {
"description": "A comma-separated list of URLs of links to
the respective Privacy Policies of the sites to which the external network
calls are being made in PHP.",
"type": "array",
"items": {
"type": "string",
"format": "uri-reference"
},
"uniqueItems": true
},
"JavaScript": {
"description": "A comma-separated list of URLs of links to
the respective Privacy Policies of the sites to which the external network
calls are being made in JavaScript.",
"type": "array",
"items": {
"type": "string",
"format": "uri-reference"
},
"uniqueItems": true
},
"CSS": {
"description": "A comma-separated list of URLs of links to
the respective Privacy Policies of the sites to which the external network
calls are being made in CSS.",
"type": "array",
"items": {
"type": "string",
"format": "uri-reference"
},
"uniqueItems": true
}
}
},
}}}
{{{#!php
<?php
"terms": {
"type": "object"
"description": "A comma-separated list to third party Terms and
Conditions, if applicable.",
"properties": {
"SaaS": {
"description": "A comma-separated list of URLs to the Terms
of Service of any instances of Software as a Service.",
"type": "array",
"items": {
"type": "string",
"format": "uri-reference"
},
"uniqueItems": true
},
"externalAPIs": {
"description": "A comma-separated list of URLs to the Terms
of Service of any external API being used.",
"type": "array",
"items": {
"type": "string",
"format": "uri-reference"
},
"uniqueItems": true
},
"remoteAssets": {
"description": "A comma-separated list of URLs to the Terms
of Service that applies to the use of each remote asset. This relates to
the use of CDNs for images, fonts, etc.",
"type": "array",
"items": {
"type": "string",
"format": "uri-reference"
},
"uniqueItems": true
},
"registration": {
"description": "Please provide a comma-separated list of
URLs to the Terms of Service that apply to any accounts that need to be
registered in order to be able to make use of this component's code.",
"type": "array",
"items": {
"type": "string",
"format": "uri-reference"
},
"uniqueItems": true
}
}
},
}}}
{{{#!php
<?php
"openWeb": {
"type": "object",
"description": "Details about mechanisms that allow others to
obtain information from the site without browsing the website's front
end.",
"properties": {
"apiEndpoints": {
"description": "A comma-separated list of URLs for any
internal API endpoints that are created by the code.",
"type": "array",
"items": {
"type": "string",
"format": "uri-reference"
},
"uniqueItems": true
},
"feeds": {
"description": "A comma-separated list of URLs for any
internal feeds that are created by the code.",
"type": "array",
"items": {
"type": "string",
"format": "uri-reference"
},
"uniqueItems": true
}
}
},
}}}
{{{#!php
<?php
"clientSide": {
"type": "object",
"properties": {
"setsCookiesPHP": {
"description": "The names of any cookies that have been set
using PHP.",
"type": "array",
"items": {
"type": "string",
},
"uniqueItems": true
},
"setsCookiesJavaScript": {
"description": "The names of any cookies that have been set
using JavaScript.",
"type": "array",
"items": {
"type": "string",
},
"uniqueItems": true
},
"usesLocalStorage": {
"description": "Whether or not the code makes use of local
storage.",
"type": "boolean"
}
}
},
}}}
{{{#!php
<?php
"database": {
"type": "object",
"properties": {
"writesToDB": {
"description": "Whether or not the code writes to the
database.",
"type": "object",
"properties": {
"auto": {
"description": "Whether or not the code writes to the
database in relation to information that is not explicitly input by a
user.",
"type": "boolean"
},
"manual": {
"description": "Whether or not the code writes to the
database that is not explicitly input by a user.",
"type": "boolean"
}
}
},
"CPT": {
"type": "object",
"description": "Please indicate whether the component
creates any Custom Post Types.",
"properties": {
"auto": {
"description": "Please indicate the number of Custom
Post Types that are automatically created by the code without user
intervention.",
"type": "integer",
"minimum": 0
},
"manual": {
"description": "Please indicate whether the code
allows for users to generate Custom Post Types.",
"type": "boolean"
}
}
},
"customTables": {
"description": "Please indicate whether the code creates
any custom tables in the database.",
"type": "object",
"properties": {
"auto": {
"description": "Please indicate the number of custom
tables that are automatically created by the code without user
intervention.",
"type": "integer",
"minimum": 0
},
"manual": {
"description": "Please indicate whether the code
allows the user to create any custom tables.",
"type": "boolean"
}
}
}
}
},
}}}
{{{#!php
<?php
"otherStorage": {
"type": "object",
"properties": {
"writesToFiles": {
"description": "A comma-separated list of file types the
code writes to (e.g. .txt).",
"type": "array",
"items": {
"type": "string",
}
},
"fileStructure": {
"description": "Whether or not the code makes changes to
the website's file structure.",
"type": "object",
"properties": {
"auto": {
"description": "Whether or not the code makes
changes, or is capable of making changes, to the website's file structure
that are not explicitly initiated by a user. This does not include files
that are added directly from the repository, or in the original .zip
file.",
"type": "boolean"
},
"manual": {
"description": "Whether or not the code makes
changes, or is capable of making changes, to the website's file structure
that are explicitly initiated by the user. This does not include files
that are added directly from the repository, or in the original .zip
file.",
}
}
}
}
},
}}}
{{{#!php
<?php
"ppi": {
"description": "Please indicate TRUE / FALSE as to whether the
code stores any Protected Personal Information.",
"type": "boolean"
},
"compatibility": {
"type": "object",
"description": "Please indicate the component's compatibility
with Privacy Tools.",
"properties": {
"ppiExport": {
"description": "Does the developer, in good faith, consider
the code to be compatible with the PPI Export Tool in WordPress?",
"type": "boolean"
},
"ppiErasure": {
"description": "Does the developer, in good faith, consider
the code to be compatible with the PPI Erasure Tool in WordPress?",
"type": "boolean"
},
"consentAPI": {
"description": "Does the developer, in good faith, consider
the code to be compatible with the WordPress Consent API?",
"type": "boolean"
},
"disclosuresTab": {
"description": "Do the developer, in good faith, consider
the code to be compatible with the Disclosure Tab?",
"type": "boolean"
},
"permissionsTab": {
"description": "Do the developer, in good faith, consider
the code to be compatible with the Permissions Tab?",
"type": "boolean"
}
}
},
}}}
{{{#!php
<?php
"monetization": {
"type": "object",
"description": "This section provides details regarding
monetization practices.",
"properties": {
"upsells": {
"description": "Does this code promote a paid version, or
extensions, or other products or services from the same author(s)?",
"type": "boolean"
},
"donations": {
"description": "Does this code contain any request, or
information in order to, donate to the plugin or its developer(s)?",
"type": "boolean"
},
"backLinks": {
"description": "Does this code contain or generate, or ask
the site owner / admin for permission to generate, backlinks?",
"type": "boolean"
},
"affiliates": {
"description": "Does this code contain, or generate
affiliate links - i.e. links from which the author may receive conditional
compensation, whether in money, or in kind?",
"type": "boolean"
},
"advertising": {
"description": "Does the code contain, or generate
promotions or recommendations for any products or services not directly
under the control of the author(s), for which the author(s) receive any
compensation, whether in money, or in kind?",
"type": "boolean"
}
}
}
}
}
}}}
--
--
Ticket URL: <https://core.trac.wordpress.org/ticket/51092#comment:11>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list