Closed justAyTE closed 5 years ago
Shouldn't that be up to the browser to care about, and not the web application? There is a counter-argument to be made that you are wasting bandwidth by self-hosting the JS and circumventing the CDN's cache. This is more of a personal preference than a technological improvement.
I think you also made a lot of whitespace changes which have nothing to do with your suggested modification.
Yep, browser has their responsibility in this too. But some browser like Firefox don't change that because some website use http_referer to make CSRF check or other things like that.
We are creating a yunohost package for this app. YunoHost guidelines suggest to patch applications containing trackers or to fix this kind of issue on the upstream. That's why we made this PR.
Alternatively, this line could be added: \<meta content="origin-when-cross-origin" name="referrer" />
In more adding integrity attribute could be done to avoid an other script to be loaded...
About considering this kind of issues as personal preference than a technological improvement. Users are not aware of this kind of issues, so they are not able to make a choice. In Europe we have strong rules (GDPR) that obliged us to make privacy by design and to inform user in case of this kind of data leak/sharing.
I appreciate the thought but I'd rather not inline and modify external libraries when it's not strictly required. Imagine the maintenance pain if we want to update these libraries at some later point.
Also, please don't be offended, but I can't possibly include 10.000+ lines of code that you pasted. There is no way to know that those scripts do not include malicious code.
For your use case it might be better to fork the repository and make those changes there.
This pull request improve the privacy.
I downloaded the js files from the different servers and included them directly for avoiding trackers.
Include internally js files avoid sending the HTTP_REFERER header that leaks the url.