Remove dependency on ajax.googleapis.com

[klinger]

VP does need javascript ajax.googleapis.com to work. This dependency should be removed.

Steps:

• Check whether its possible to remove the dependency.
• Check licence of the included code.
• (Optional) put a copy of the library of the code in VP and adjust the path to the function calls.
• (Optional) replace the library with another library that offers similar functions.

Why is it important?

• The whole content of a website should be delivered from one server (maybe excluding geodata and videos).
• better runtime behavior (no waiting for other servers)
• better uptime because of less dependencies (if another server isnt working or they change the javascript our website dont work)
• better privacy (no other website can track our users)
• better security (if one external website got hacked and the javascript is changed our website is automatically hacked too - the user just load the "valid" javascript that can contain every imaginable code)

[leodabbler]

I share these concerns

[derhuerst]

There is a certain point in CDNs like ajax.googleapis.com, which is performance. In many of the cases a visitor already visited another website with the same library, so it doesn't need to be loaded at all. In this case DNS will already be resolved.

[derhuerst]

We could use cdnjs for all libraries to reduce the number of round trips when loading VP.

[leodabbler]

I must admit that I have to relativize my own arguments a little. I think that uptime isn't really an issue as the major CDNs are surely much more reliable than our server(s) ever will be. And tracking will not take place as long as requests are satisfied from the user's browser cache. However, we should be aware of whether the URLs contain data that make it easier to track a certain user.

[derhuerst]

@leodabbler

However, we should be aware of whether the URLs contain data that make it easier to track a certain user.

Tracking is indeed a valid point, even if there is no idintifying piece of information in the URL. There still is fingerprinting.

The question is: Are – in this specific case – better privacy and better security worth sacrificing performance and dev comfort?

[klinger]

At the refugee hackathon some people said that they have to hide that they volunteer in the field of refugee help (their example were smaller villages in some parts of germany where you will suffer negative social consequences if someone thinks you take part in such "left wing" activities).

IMHO: Up to this year a larger part of the people working on topics concerning refugees were very aware of tracking issues (I think now most of the helpers dont care that much, because the helpers are often much older and not so much working on political change and more from the humanitarian communities).

Another aspect: Activities like helping people who want to cross borders can be considered illegal (depending on law and current interpretation on the law/public opinion). People may want to use VP to organize shifts for giving out food, maps, .. - every bit of privacy helps here.

This does answer @derhuerst question - but my preferred answer is: yes its worth it.

[Doca]

To be honest...this is a bit of a paranoia! Why should some external cdn track refugee helpers? One point for me is local dev. External libraries used to slow down local dev because of too many request from the same client. But this would be another ticket

[klinger]

Sorry, I am not yet convinced @Doca. I understand all the advantages of CDN (caching, maybe faster delivery, ..) but there are some valid concerns too - and "paranoia" isnt the best word for this. My mindset is quite good explained here: http://wonko.com/post/javascript-ssl-cdn

But there are also some other concerns (like "may not be used in countries under (US) export restriction laws like Syria"), for example
http://www.sitepoint.com/7-reasons-not-to-use-a-cdn/

[klinger]

Reopened, only low priority