search

omeka / Omeka

A flexible web publishing platform for the display of library, museum and scholarly collections, archives and exhibitions.
http://omeka.org
GNU General Public License v3.0
472 stars 193 forks source link

Omeka is not GDPR compliant because JQuery is loaded from Google server #1012

Closed lorenzode closed 7 months ago

lorenzode commented 7 months ago

How it is:

JQuery is loaded from the Google server:

omeka

How it should be:

Solution 1: A pop up should be displayed to ask consent to sent personal data (IP address) to the Google server according to the GDPR consent requirements. If consent is given, load JQery and proceed with page loading. Not sure what happens if consent is denied as JQuery is probably intergral to the functioning of Omeka.

Solution 2: Load JQuery locally. I think this is the preferred solution and I would be super happy to hear of your workarounds to load JQuery locally because my organization has some very strict data privacy requirements. Thank you!

zerocrates commented 7 months ago

What happened here is that the useInternalAssets flag was originally intended for usages without internet access. Several versions ago, we replaced the loading code for jQuery with what we have currently, which tries to load from the CDNs and loads the local copies automatically if the CDN load failed. Because that fallback was automatic, there wasn't really a need to check the useInternalAssets flag anymore for that purpose, so the check was removed.

We can reintroduce it, so that when it's enabled we just directly load jQuery and jQuery UI. That will need to be a core change.

zerocrates commented 7 months ago

So there's a code change attached to this issue now which re-enables that flag for loading jQuery and jQuery UI.

In terms of solutions for you currently, you could take that change and apply it as a patch to your installation. Alternatively, it's also possible to edit your theme so it will load jQuery locally.

lorenzode commented 7 months ago

Thanks @zerocrates for the patch!

Alternatively, it's also possible to edit your theme so it will load jQuery locally.

I think that would be the preferred way and to avoid changing anything in core files (although I will use your patch if I can't solve this on the theme level).

I fiddled around with the header.php file of the Berlin theme but even when I comment out queue_js_file('globals'); it still loads JQuery from Google. I could of course hardcode all JS libs separately in the header.php file of the theme but I was wondering if there is a more elegant way to remove the call to the JQuery files on the Google server in the theme files?

    <!-- JavaScripts -->
    <?php queue_js_file('vendor/selectivizr', 'javascripts', array('conditional' => '(gte IE 6)&(lte IE 8)')); ?>
    <?php queue_js_file('vendor/respond'); ?>
    <?php queue_js_file('vendor/jquery-accessibleMegaMenu'); ?>
    <?php queue_js_file('berlin'); ?>
    <?php /* queue_js_file('globals');*/ ?>
    <?php echo head_js(); ?>

Edit: typos, clarity

zerocrates commented 7 months ago

"globals" is just loading a file called globals.js.

The "default" scripts including jQuery are loaded by the head_js call; make it head_js(false) to skip them. You could then add queue_js_file('vendor/jquery') above the other queue calls to load the local copy of jQuery.

lorenzode commented 7 months ago

Thank you very much for the quick and helpful response!