search

Redocly / redoc

📘 OpenAPI/Swagger-generated API Reference Documentation
https://redocly.github.io/redoc/
MIT License
23.39k stars 2.29k forks source link

Load Redocly icon without external CDN #2141

Open seanking2919 opened 2 years ago

seanking2919 commented 2 years ago

Describe the problem to be solved On various sites using Redocly CLI > 0.11.0, the Redocly Attribution has a logo in it. The issue lies with said logo being pulled from a CDN, particularly cdn.redoc.ly. Many have different arguments as to why it should be loaded from an external CDN instead. However, loading it from an external CDN causes a page to try to connect to another domain. Hence, more loading time. In addition, it's known to cause numerous privacy concerns.

Describe the solution you'd like I'd like for the Redocly icon to be loaded locally just like all the other images and resources.

Additional context Some resources on why loading resources from a third-party, public CDN isn't ideal:

adamaltman commented 2 years ago

Thanks for the issue @seanking2919.

Increase awareness We've heard from our customers that they wish it was easier to find us. Even those using our open source solution already weren't aware we offered more solutions such as a developer portal. We've worked to make the Redocly attribution remain out of the way for users but increase our brand awareness by being more visible than the prior attribution.

Difference from other images and resources The Redocly brand attribution has the Redocly brand in it. The other resources are specific to the version of Redoc installed (and may evolve over time). The Redocly brand may also evolve over time (let's take the case if we change our logo which is used as the icon), but this is the major difference: the attribution icon shouldn't be locked to a specific version of Redoc. In that case, we don't want to have the old brand icon floating around for years on end.

Possible solution

However, before we add that option, let's get some more feedback. Adding yet another configuration option conflicts with another goal we have to reduce the number of configuration options. 🤣

seanking2919 commented 2 years ago

Your proposed solution won't work for us, because we want to be able to rebrand quickly.

With all due respect, you could do a PR or a commit to the main branch and then release a new minor version (ie 0.11.1 or 0.11.2) if you really had to change branding quickly.

Edit: You could always have the logo downloaded to a spot locally when running the bundle. That way if you do update branding, it'll eventually make its way to projects that use it more quickly.

adamaltman commented 2 years ago

With all due respect, you could do a PR or a commit to the main branch and then release a new minor version (ie 0.11.1 or 0.11.2) if you really had to change branding quickly.

This is exactly what I mean. This doesn't work. It requires people to update. A quick PR on our end is not the challenge. It's updating 100,000 websites. How many of them run the latest version? How often do they update? How many haven't updated the version in over a month? over a year? over 5 years? (Yes, some big projects running Redoc haven't updated the version in over 5 years.)

seanking2919 commented 2 years ago

With all due respect, you could do a PR or a commit to the main branch and then release a new minor version (ie 0.11.1 or 0.11.2) if you really had to change branding quickly.

This is exactly what I mean. This doesn't work. It requires people to update. A quick PR on our end is not the challenge. It's updating 100,000 websites. How many of them run the latest version? How often do they update? How many haven't updated the version in over a month? over a year? over 5 years? (Yes, some big projects running Redoc haven't updated the version in over 5 years.)

To be fair, we have tools such as the Renovate bot nowadays to help keep folks' dependencies up to date. Just because some folks don't update doesn't mean it's suddenly ethical to still force them to use your external CDN just to get a single icon for an attribution. It just means you have to do it in a better way. See my suggestion in the section of my comment adjacent to Edit: above.

seanking2919 commented 2 years ago

For note, here's how Material for MkDocs handles external resources for an experimental privacy plugin: https://squidfunk.github.io/mkdocs-material/setup/ensuring-data-privacy/#built-in-privacy-plugin

lietu commented 1 year ago

We use a pretty strict Content-Security-Policy in one project, where we also host API docs using redoc. During a review we noticed we get an error Refused to load the image 'https://cdn.redoc.ly/redoc/logo-mini.svg' because it violates the following Content Security Policy directive: ... in the logs always. We wanted to get rid of this error by self-hosting the .svg, this seems difficult at best right now.

And honestly, nobody cares about your want to rebrand quickly, that's not an excuse to expose countless websites in the world - by your count 100k - to exposing private information about all their visitors (IP addresses are PII), to an unknown 3rd party. You will survive, like everyone else, with redirects etc.

seanking2919 commented 1 year ago

We use a pretty strict Content-Security-Policy in one project, where we also host API docs using redoc. During a review we noticed we get an error Refused to load the image 'https://cdn.redoc.ly/redoc/logo-mini.svg' because it violates the following Content Security Policy directive: ... in the logs always. We wanted to get rid of this error by self-hosting the .svg, this seems difficult at best right now.

And honestly, nobody cares about your want to rebrand quickly, that's not an excuse to expose countless websites in the world - by your count 100k - to exposing private information about all their visitors (IP addresses are PII), to an unknown 3rd party. You will survive, like everyone else, with redirects etc.

It's also not an excuse to risk getting fined for GDPR violations given what happened to Google Fonts in Germany.

julianpoemp commented 7 months ago

I really don't understand why the logo is not included to the package. In some cases like offline use or because of privacy it's important to have as less as external resources as possible. Does redocly analyse the traffic to API installations?

alicebob commented 6 months ago

Same as the others. I'm more than happy to attribute redocly and show the logo, just not as a third party site. Also saves them the cdn bandwith cost :shrug:

I download the js bundle and logo locally and rewrite the path during the build step. Looks like fair use to me.

symballl commented 4 months ago

To make you happy with your need to change branding and those of us who expect to be capable of using a self contained file, please could I suggest adding a simple configuration option that determines whether or not to embed the SVG / JS within the file or use the CDN.

I would love to embed the output html file within Notion but, like others, am having issues relating to Content Security Policy which cannot be changed.

The original redoc would do this no problem which is why i am currently still using that instead. To the other people reaching this topic, I would recommend using redoc-cli instead of redocly until this issue is resolved