nsupdate.info icon indicating copy to clipboard operation
nsupdate.info copied to clipboard

Published 20 hours ago verified publisher icon nsupdate-info

Remove third parties from Website

Open dorsiflexion opened this issue 4 years ago • 3 comments

Hey, I really like this project, big thanks.

Loading third-party content goes against at least two of the claims of the homepage: nice and awesome. It makes you reliant on code from others which you don't control – you'd have to read all of it on every change to really know what's going on. It makes the site load slower because of the obvious and unnecessary overhead. And last and most important it leaks private data to the parties involved. The contacted hosts will know every visitor's IP address, user agent and so on which is really not nice. A nice website is first party and nothing else.

I hope you could have a look into this. Anyway, have a nice day! :)

dorsiflexion avatar Dec 03 '20 22:12 dorsiflexion

I guess you are referring to this:

        <link href="https://stackpath.bootstrapcdn.com/bootstrap/3.4.1/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-HSMxcRTRxnN+Bdg0JdbxYKrThecOKuH5zCYotlSAcp1+c8xmyTe9GYg1l9a69psu" crossorigin="anonymous">
        <link href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.11.2/css/all.min.css" rel="stylesheet" integrity="sha256-+N4/V/SbAFiW1MPBCXnfnP9QSN3+Keu+NlB+0ev/YKQ=" crossorigin="anonymous" />
        <script src="https://code.jquery.com/jquery-3.4.1.min.js" integrity="sha256-CSXorXvZcTkaix6Yvo6HppcZGetbYMGWSFlBw8HfCJo=" crossorigin="anonymous"></script>
        <script src="https://stackpath.bootstrapcdn.com/bootstrap/3.4.1/js/bootstrap.min.js" integrity="sha384-aJ21OjlMXNL5UyIl/XNwTMqvzeRMZH2w8c5cRVpzpU8Y5bApTppSuUkhZXN0VxHd" crossorigin="anonymous"></script>

As you see, we check with the integrity hash that the content is as expected.

You're right, these CDNs will see your IP.

Slower: usually browsers load multiple stuff in parallel IF it comes from different servers, which is the case here - so it might be in fact faster. Esp. if this popular stuff is already in your browser cache.

ThomasWaldmann avatar Dec 04 '20 13:12 ThomasWaldmann

If we want to improve this, we could use xstatic-* pypi packages for the stuff needed (and package missing stuff like that, if something is missing).

PRs welcome!

ThomasWaldmann avatar Dec 04 '20 13:12 ThomasWaldmann

Sorry for closing and reopening, I misclicked.

I guess you are referring to this: […]

Exactly, thanks. I forgot to mention the "names".

Slower: usually browsers load multiple stuff in parallel IF it comes from different servers, which is the case here - so it might be in fact faster. Esp. if this popular stuff is already in your browser cache.

There are also additional handshakes and ocsp queries – it depends. But the IP address and referrer leakage is the main issue here imho.

This should probably be mentioned, too: #23

dorsiflexion avatar Dec 06 '20 22:12 dorsiflexion