Prefer local fonts over CDN ones

[gllmhyt]

Considering there's some privacy issues to use CDN-centralised font-faces (Open Sans and Font Awesome), I'd suggest to add them in the assets. I don't want the readers of a site I deploy to be tracked by such a little thing as fonts.

It could be ugly, just copying and deflating the zip files in a new directory, assets/fonts (as I've just made it on my personnal webblog), but it could be nicer using git submodules so there's no need to track each version bump to stay upstream. There's two git repositories for it:

• Open Sans: https://github.com/FontFaceKit/open-sans
• Font Awesome: https://github.com/FortAwesome/Font-Awesome

But there's still an ugly part doing so, there's to much files we don't need for a theme in these. What do you think of it?

[roryg]

I don't really feel that using fonts loaded from a CDN poses a large enough privacy issue for this to be a concern. To me the benefits of the saved resources outweigh the privacy issue. Most users that are worried about being tracked will likely be using a browser plugin to prevent it anyway. I'd like to keep the theme as simple as possible for people to use and I think using git submodules would make things overly complicated for non technical/git users.

[gllmhyt]

I understand that using submodules isn't the easiest solution to download (I don't know if an archived repository adjoin them, and I think it doesn't), and I'm sure it isn't the cleanest one too, as it includes many unneeded files (maybe dangerous ones); I can work on a cleaner yet lightweight patch without using user unfriendly submodules.

I understand it would be complicated to deploy your theme for those who only know git clone, maybe wget and unzip too, though I barely know more of git myself (see those failed and ugly pull requests I've made!). But I don't understand how one would have installed Ghost if he's not a technical/git user, at least familiar with command-line interfaces. Are they pre-installed Ghost platforms with web-installable themes yet?

I deployed this patch on my server, and I see no resource overload with a good cache control policy. Anyway, I have absolutely no control on cache control policy in the case of CDN-served libraries and it should bother any webmaster. And if they're on my own server, one reader won't have to wait for a CORS call to succeed: if the server respond at first bits, the fonts will be served with no delay.

Furthermore, I think the worst privacy issues are the sum of bening behaviors. One developper will see no arm on his own side if he uses a CDN for the libraries he needs, but the CDN owners will see a big advantage to have the access logs of those loading pages that integrates the incriminated CDN contents. I'm a blog writter, not a personal data reseller. I'm not some kind of quisling.

Besides, I don't think that only those who are aware of these issues and other not-so-wrong-paranoids have some kind of right to preclude the loading of these contents. There's not enough paranoids to make a change, and too much of those who won't lift a finger. Webmasters and developers have to mind their own behavior: they're those who can make it change.

Furthermore, I think that those worried of being tracked (everyone should be worried about it, and not just whine around when they suddenly give a damn about their private life) have also the right of a well aligned, well displayed and well formated website, including fonts, icons, etc.

So I'm suggesting to give the fonts with the theme. I can work on it to make both lightweight and easy to install for the webmasters, and easy to update for you or the contributors.