"Go full featured" not GDPR-Compliant

[jfqd]

Description:

The new Admin page "Go full featured" is not GDPR-Compliant. This page makes requests to several third party hosts.

I fully understand your goal with this page, but please make it GDPR-Compliant and server the assets from the Rocket.Chat instance directly. Or give us an option to deactivate this page to be able to use it leagally in europe.

Steps to reproduce:

1. Open the Admin area
2. You see the new "Go full featured" page

Expected behavior:

I expect no requests to third-parties.

Actual behavior:

Currently this page makes commections to the following hosts, which is not GDPR-Compliant:

• d3e54v103j8qbb.cloudfront.net
• bugsnag.com
• cloudflare.com
• github.io
• googleoptimize.com
• gstatic.com
• hsforms.net
• refokus.io
• website-files.com

Server Setup Information:

• Version of Rocket.Chat Server: 4.6.3

Client Setup Information

• Desktop App or Browser Version: 3.8.4
• Operating System: macOS Big Sur

Additional context

Relevant logs:

[Gummikavalier]

This is particularly mean as the users accessing admin features most often are just that; admins, and the page opens up every time you access the admin console via the user menu.

This allows pinpointing both RC instances as well as their maintainers in the world.

In the worst case scenario the 'Go fully featured' page would be used to load malware directly into the admin user session on the browser using 0-day vulnerabilities in the browsers.

The simplest workaround is using the url /admin/info instead of the profile menu to access the admin console.

[jfqd]

Thx for the workaround, but the url /admin/info is nothing someone can open in the Roket.Chat client. Rocket.Chat is not GDPR-Compliant as long as this feature is alive.

[Gummikavalier]

I completely agree with you on all accounts.