Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove third parties from Website #469

Open
dorsiflexion opened this issue Dec 3, 2020 · 3 comments
Open

Remove third parties from Website #469

dorsiflexion opened this issue Dec 3, 2020 · 3 comments

Comments

@dorsiflexion
Copy link

Hey,
I really like this project, big thanks.

Loading third-party content goes against at least two of the claims of the homepage: nice and awesome. It makes you reliant on code from others which you don't control – you'd have to read all of it on every change to really know what's going on. It makes the site load slower because of the obvious and unnecessary overhead. And last and most important it leaks private data to the parties involved. The contacted hosts will know every visitor's IP address, user agent and so on which is really not nice. A nice website is first party and nothing else.

I hope you could have a look into this. Anyway, have a nice day! :)
@ThomasWaldmann
Copy link
Member

I guess you are referring to this:

        <link href="https://stackpath.bootstrapcdn.com/bootstrap/3.4.1/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-HSMxcRTRxnN+Bdg0JdbxYKrThecOKuH5zCYotlSAcp1+c8xmyTe9GYg1l9a69psu" crossorigin="anonymous">
        <link href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.11.2/css/all.min.css" rel="stylesheet" integrity="sha256-+N4/V/SbAFiW1MPBCXnfnP9QSN3+Keu+NlB+0ev/YKQ=" crossorigin="anonymous" />
        <script src="https://code.jquery.com/jquery-3.4.1.min.js" integrity="sha256-CSXorXvZcTkaix6Yvo6HppcZGetbYMGWSFlBw8HfCJo=" crossorigin="anonymous"></script>
        <script src="https://stackpath.bootstrapcdn.com/bootstrap/3.4.1/js/bootstrap.min.js" integrity="sha384-aJ21OjlMXNL5UyIl/XNwTMqvzeRMZH2w8c5cRVpzpU8Y5bApTppSuUkhZXN0VxHd" crossorigin="anonymous"></script>

As you see, we check with the integrity hash that the content is as expected.

You're right, these CDNs will see your IP.

Slower: usually browsers load multiple stuff in parallel IF it comes from different servers, which is the case here - so it might be in fact faster. Esp. if this popular stuff is already in your browser cache.

@ThomasWaldmann
Copy link
Member

If we want to improve this, we could use xstatic-* pypi packages for the stuff needed (and package missing stuff like that, if something is missing).

PRs welcome!

@dorsiflexion dorsiflexion reopened this Dec 6, 2020
@dorsiflexion
Copy link
Author

Sorry for closing and reopening, I misclicked.

I guess you are referring to this: […]

Exactly, thanks. I forgot to mention the "names".

Slower: usually browsers load multiple stuff in parallel IF it comes from different servers, which is the case here - so it might be in fact faster. Esp. if this popular stuff is already in your browser cache.

There are also additional handshakes and ocsp queries – it depends. But the IP address and referrer leakage is the main issue here imho.

This should probably be mentioned, too: #23

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ThomasWaldmann @dorsiflexion