Feature Request: Remove ajax.googleapis.com scripts from the app #57
Comments
|
Hey @joediggs111, thanks a lot for opening this issue. This mishap (let's call for what it is) totally derives from my newbie status in the world of frontend development and lack of understanding of alternatives. Indeed, jquery is being pulled from a Google server. I never remembered to look back at it once the platform was running. So I appreciate that you bring it up again. Hopefully, every single part of the code gets checked as well. I will be researching into alternatives and report back. So far this post can serve as a larger context to understand why this is so important: https://forums.informaction.com/viewtopic.php?t=19598 PD: Agree on the Google take. Similar discussion took place regarding push notifications. |
|
Okay. Last commit (hot fix), that I dropped on the feature branch where I am currently working drops all external (google) dependencies, that is: this library and the Roboto fonts. The site looks slightly different now (irrelevant). See c3f37b4 Won't be upgrading the mainnet platform to this commit height until I fully check things work as expected. |
|
Fix running on the mainnet platform. Roboto fonts are now also served by the backend e660006 Overall a large increase in the number of requests that have to be served by the backend. Not a big issue as the platform is operating at a small scale at the moment. |
|
After the fact, this was not that much of a difficult fix nor it was a threat. Closing this issue. |
Is your feature request related to a problem? Please describe.
Yes. Your deployed code at the onion page does not load unless I run javascript from https://ajax.googleapis.com. This obviously is a very major trust, security, usability, and privacy problem.
Describe the solution you'd like
Write your own javascript functions or pull someone else's equivalent code from your own forked repo. Preferably the page degrades gracefully without javascript but in the spirit of who-gives-a-shit-about-privacy-and-security, a reality more readily practiced among developers who love javascript, please at least put the code you're running into your open source repo, so we don't have to run scripts from external sites, ultimately from parties that not only do we not trust, but from parties that we implicitly DO NOT TRUST.
Describe alternatives you've considered
I'm considering the alternatives to google. There are many open source javascript functions you can use to accomplish the same goal without compromising everyone's privacy and security.
Additional context
Google is not a trustable entity.
The text was updated successfully, but these errors were encountered: