-
Notifications
You must be signed in to change notification settings - Fork 7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
3rd Party Includes should be vendorized #104
Comments
Hi Hainish, Thanks for the feedback! I totally agree with you that any production on-premise applications should not be going through third-party URLs to access code or a service when we can include it as an offline/self-hosted resource. We're still pretty early in development, so as of now I can't say this is our highest priority task. I can guarantee, however, that this will be something we look into and handle within one of the next major releases coming up. Also thanks for the link to https://github.com/piwik/piwik , I haven't heard of it before and I'll definitely have to check it out. |
👍 |
Hi @Hainish, thanks for the feedback, and certainly there's agreement. I've created an item for this in our feature request forum for the community upvote and discuss: http://mattermost.uservoice.com/forums/306457-general/suggestions/8637517-enable-installer-to-complete-without-referencing-e It includes links to feedback from other community members who agree with your idea. Closing this issue, per http://www.mattermost.org/filing-issues/, to continue the conversation as a feature request, per http://www.mattermost.org/feature-requests/. Please feel free to open a new ticket or reply to this one if you think differently. |
* [MM-21705] Make sure docs are updated * [MM-21705] Make docs an independent job * [MM-21705] Add docs job in the workflow * [MM-21705] Fix indentation in workflow * [MM-21705] Clean up lint job
Upon loading the application, numerous resource inclusions are made referencing external domains:
This application is intended to be self-hosted and used for small collaborations. This makes it an appealing option to teams concerned about private data leaking to cloud services. For organizations with strong privacy policies, this is concern is even more important.
When the above resources are included, the requests they make are easily tracked by those third parties. Moreover, any javascript include from a third party can modify page contents and exfiltrate data. And for several of the resources included (boostrap, react, jquery) there's no reason they need to be included externally - they can be either vendorized or added to a bower.json file for local inclusion. For the analytics services, there are also self-hosted options like https://github.com/piwik/piwik that should be an option to use, instead of google analytics and loggly.
Let's give deployment teams the option to use Mattermost when privacy is a concern or a requirement for their organization, and provide configuration options for self-hosting necessary resources.
The text was updated successfully, but these errors were encountered: