Open JohnnyJayJay opened 3 years ago
Hello, Indeed two private domains are called when using the app:
analytics.androz2091.fr
. This is an app called Umami, which is an open source analytics server that counts page views and visitors. So not any data from your package is sent to it and this is not required - feel free to remove the line from the index.html
file ๐
diswho.androz2091.fr
. This is an important app which is, again, open source. You can self-host it, even if it's pretty hard (because you will probably need a google captcha key). This is only used to resolve user IDs from your data package to user objects (used for the top dms leaderboard). Again, nothing is stored in the server and your requests are anonymous.
This may not be the best solutions and I am open to other suggestions to reduce the usage to external services, to make the app as independent as possible. (maybe by adding an input to users can specify a bot token that can be used to resolve the user IDs without diswho... ?)
To be clear, I'm not suggesting any parts of the app were made in bad faith. It's a privacy issue as soon as external services are used in a way that isn't transparent enough, not just when you actually grab personal data. It's apparent from the source code and request monitoring that this doesn't happen here :smile:
Thank you for the explanations. Here are my 2 cents regarding a possible solution:
diswho
instance to use (again via a config or an env variable)diswho
(since it's not required for personal or limited scale use)
The source code for this app contains hard references to your personal domain
androz2091.fr
in a bunch of places. This introduces a big problem: Even when hosted privately, the app makes requests to your resources. This should not happen, because that makes it impossible to truly "self"-host an instance of this app. Furthermore, this is - in my opinion - a big privacy issue, especially since there doesn't seem to be a privacy policy (depending on what theanalytics
part of the app does, this may actually be illegal).There should be no hard references to any private URL in the source code. If some external service is inevitably required somewhere, it should be made configurable.