3rd Party Includes should be vendorized

[Hainish]

Upon loading the application, numerous resource inclusions are made referencing external domains:

• ajax.googleapis.com
• cloudfront.loggly.com
• fb.me
• fbcdn-dragon-a.akamaihd.net
• fonts.googleapis.com
• maxcdn.bootstrapcdn.com
• www.google-analytics.com

This application is intended to be self-hosted and used for small collaborations. This makes it an appealing option to teams concerned about private data leaking to cloud services. For organizations with strong privacy policies, this is concern is even more important.

When the above resources are included, the requests they make are easily tracked by those third parties. Moreover, any javascript include from a third party can modify page contents and exfiltrate data. And for several of the resources included (boostrap, react, jquery) there's no reason they need to be included externally - they can be either vendorized or added to a bower.json file for local inclusion. For the analytics services, there are also self-hosted options like https://github.com/piwik/piwik that should be an option to use, instead of google analytics and loggly.

Let's give deployment teams the option to use Mattermost when privacy is a concern or a requirement for their organization, and provide configuration options for self-hosting necessary resources.

[jwilander]

Hi Hainish,

Thanks for the feedback! I totally agree with you that any production on-premise applications should not be going through third-party URLs to access code or a service when we can include it as an offline/self-hosted resource.

We're still pretty early in development, so as of now I can't say this is our highest priority task. I can guarantee, however, that this will be something we look into and handle within one of the next major releases coming up.

Also thanks for the link to https://github.com/piwik/piwik , I haven't heard of it before and I'll definitely have to check it out.

[Hainish]

👍

[it33]

Hi @Hainish, thanks for the feedback, and certainly there's agreement. I've created an item for this in our feature request forum for the community upvote and discuss: http://mattermost.uservoice.com/forums/306457-general/suggestions/8637517-enable-installer-to-complete-without-referencing-e

It includes links to feedback from other community members who agree with your idea.

Closing this issue, per http://www.mattermost.org/filing-issues/, to continue the conversation as a feature request, per http://www.mattermost.org/feature-requests/.

Please feel free to open a new ticket or reply to this one if you think differently.