redoc icon indicating copy to clipboard operation
redoc copied to clipboard

Published 20 hours ago • verified publisher icon Redocly

Load Redocly icon without external CDN

Open seanking2919 opened this issue 2 years ago • 10 comments

Describe the problem to be solved On various sites using Redocly CLI > 0.11.0, the Redocly Attribution has a logo in it. The issue lies with said logo being pulled from a CDN, particularly cdn.redoc.ly. Many have different arguments as to why it should be loaded from an external CDN instead. However, loading it from an external CDN causes a page to try to connect to another domain. Hence, more loading time. In addition, it's known to cause numerous privacy concerns.

Describe the solution you'd like I'd like for the Redocly icon to be loaded locally just like all the other images and resources.

Additional context Some resources on why loading resources from a third-party, public CDN isn't ideal:

  • https://www.tukutoi.com/why-we-shouldnt-use-third-party-resources-and-cdn-services/
  • https://httptoolkit.tech/blog/public-cdn-risks/

seanking2919 avatar Aug 23 '22 23:08 seanking2919

Thanks for the issue @seanking2919.

Increase awareness We've heard from our customers that they wish it was easier to find us. Even those using our open source solution already weren't aware we offered more solutions such as a developer portal. We've worked to make the Redocly attribution remain out of the way for users but increase our brand awareness by being more visible than the prior attribution.

Difference from other images and resources The Redocly brand attribution has the Redocly brand in it. The other resources are specific to the version of Redoc installed (and may evolve over time). The Redocly brand may also evolve over time (let's take the case if we change our logo which is used as the icon), but this is the major difference: the attribution icon shouldn't be locked to a specific version of Redoc. In that case, we don't want to have the old brand icon floating around for years on end.

Possible solution

  • Your proposed solution won't work for us, because we want to be able to rebrand quickly.
  • We could potentially offer a configuration option, such as hideRedoclyAttributionIcon, which would not display the icon.

However, before we add that option, let's get some more feedback. Adding yet another configuration option conflicts with another goal we have to reduce the number of configuration options. 🤣

adamaltman avatar Sep 18 '22 21:09 adamaltman

Your proposed solution won't work for us, because we want to be able to rebrand quickly.

With all due respect, you could do a PR or a commit to the main branch and then release a new minor version (ie 0.11.1 or 0.11.2) if you really had to change branding quickly.

Edit: You could always have the logo downloaded to a spot locally when running the bundle. That way if you do update branding, it'll eventually make its way to projects that use it more quickly.

seanking2919 avatar Sep 19 '22 19:09 seanking2919

With all due respect, you could do a PR or a commit to the main branch and then release a new minor version (ie 0.11.1 or 0.11.2) if you really had to change branding quickly.

This is exactly what I mean. This doesn't work. It requires people to update. A quick PR on our end is not the challenge. It's updating 100,000 websites. How many of them run the latest version? How often do they update? How many haven't updated the version in over a month? over a year? over 5 years? (Yes, some big projects running Redoc haven't updated the version in over 5 years.)

adamaltman avatar Sep 21 '22 12:09 adamaltman

With all due respect, you could do a PR or a commit to the main branch and then release a new minor version (ie 0.11.1 or 0.11.2) if you really had to change branding quickly.

This is exactly what I mean. This doesn't work. It requires people to update. A quick PR on our end is not the challenge. It's updating 100,000 websites. How many of them run the latest version? How often do they update? How many haven't updated the version in over a month? over a year? over 5 years? (Yes, some big projects running Redoc haven't updated the version in over 5 years.)

To be fair, we have tools such as the Renovate bot nowadays to help keep folks' dependencies up to date. Just because some folks don't update doesn't mean it's suddenly ethical to still force them to use your external CDN just to get a single icon for an attribution. It just means you have to do it in a better way. See my suggestion in the section of my comment adjacent to Edit: above.

seanking2919 avatar Sep 21 '22 18:09 seanking2919

For note, here's how Material for MkDocs handles external resources for an experimental privacy plugin: https://squidfunk.github.io/mkdocs-material/setup/ensuring-data-privacy/#built-in-privacy-plugin

seanking2919 avatar Sep 27 '22 04:09 seanking2919

We use a pretty strict Content-Security-Policy in one project, where we also host API docs using redoc. During a review we noticed we get an error Refused to load the image 'https://cdn.redoc.ly/redoc/logo-mini.svg' because it violates the following Content Security Policy directive: ... in the logs always. We wanted to get rid of this error by self-hosting the .svg, this seems difficult at best right now.

And honestly, nobody cares about your want to rebrand quickly, that's not an excuse to expose countless websites in the world - by your count 100k - to exposing private information about all their visitors (IP addresses are PII), to an unknown 3rd party. You will survive, like everyone else, with redirects etc.

lietu avatar Dec 13 '22 09:12 lietu

We use a pretty strict Content-Security-Policy in one project, where we also host API docs using redoc. During a review we noticed we get an error Refused to load the image 'https://cdn.redoc.ly/redoc/logo-mini.svg' because it violates the following Content Security Policy directive: ... in the logs always. We wanted to get rid of this error by self-hosting the .svg, this seems difficult at best right now.

And honestly, nobody cares about your want to rebrand quickly, that's not an excuse to expose countless websites in the world - by your count 100k - to exposing private information about all their visitors (IP addresses are PII), to an unknown 3rd party. You will survive, like everyone else, with redirects etc.

It's also not an excuse to risk getting fined for GDPR violations given what happened to Google Fonts in Germany.

seanking2919 avatar Feb 28 '23 03:02 seanking2919

I really don't understand why the logo is not included to the package. In some cases like offline use or because of privacy it's important to have as less as external resources as possible. Does redocly analyse the traffic to API installations?

julianpoemp avatar Feb 29 '24 12:02 julianpoemp

Same as the others. I'm more than happy to attribute redocly and show the logo, just not as a third party site. Also saves them the cdn bandwith cost :shrug:

I download the js bundle and logo locally and rewrite the path during the build step. Looks like fair use to me.

alicebob avatar Mar 21 '24 16:03 alicebob

To make you happy with your need to change branding and those of us who expect to be capable of using a self contained file, please could I suggest adding a simple configuration option that determines whether or not to embed the SVG / JS within the file or use the CDN.

I would love to embed the output html file within Notion but, like others, am having issues relating to Content Security Policy which cannot be changed.

The original redoc would do this no problem which is why i am currently still using that instead. To the other people reaching this topic, I would recommend using redoc-cli instead of redocly until this issue is resolved

symballl avatar May 09 '24 08:05 symballl