[GH-ISSUE #469] Remove third parties from Website #341

New issue

Open

opened 2026-02-26 10:30:57 +03:00 by kerem · 3 comments

kerem commented

2026-02-26 10:30:57 +03:00

Owner

Originally created by @dorsiflexion on GitHub (Dec 3, 2020).
Original GitHub issue: https://github.com/nsupdate-info/nsupdate.info/issues/469

Hey,
I really like this project, big thanks.

Loading third-party content goes against at least two of the claims of the homepage: nice and awesome. It makes you reliant on code from others which you don't control – you'd have to read all of it on every change to really know what's going on. It makes the site load slower because of the obvious and unnecessary overhead. And last and most important it leaks private data to the parties involved. The contacted hosts will know every visitor's IP address, user agent and so on which is really not nice. A nice website is first party and nothing else.

I hope you could have a look into this. Anyway, have a nice day! :)

Originally created by @dorsiflexion on GitHub (Dec 3, 2020). Original GitHub issue: https://github.com/nsupdate-info/nsupdate.info/issues/469 Hey, I really like this project, big thanks. Loading third-party content goes against at least two of the claims of the homepage: nice and awesome. It makes you reliant on code from others which you don't control – you'd have to read all of it on every change to really know what's going on. It makes the site load slower because of the obvious and unnecessary overhead. And last and most important it leaks private data to the parties involved. The contacted hosts will know every visitor's IP address, user agent and so on which is really not nice. A nice website is first party and nothing else. I hope you could have a look into this. Anyway, have a nice day! :)

kerem commented

2026-02-26 10:30:58 +03:00

Author

Owner

@ThomasWaldmann commented on GitHub (Dec 4, 2020):

I guess you are referring to this:

        <link href="https://stackpath.bootstrapcdn.com/bootstrap/3.4.1/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-HSMxcRTRxnN+Bdg0JdbxYKrThecOKuH5zCYotlSAcp1+c8xmyTe9GYg1l9a69psu" crossorigin="anonymous">
        <link href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.11.2/css/all.min.css" rel="stylesheet" integrity="sha256-+N4/V/SbAFiW1MPBCXnfnP9QSN3+Keu+NlB+0ev/YKQ=" crossorigin="anonymous" />
        <script src="https://code.jquery.com/jquery-3.4.1.min.js" integrity="sha256-CSXorXvZcTkaix6Yvo6HppcZGetbYMGWSFlBw8HfCJo=" crossorigin="anonymous"></script>
        <script src="https://stackpath.bootstrapcdn.com/bootstrap/3.4.1/js/bootstrap.min.js" integrity="sha384-aJ21OjlMXNL5UyIl/XNwTMqvzeRMZH2w8c5cRVpzpU8Y5bApTppSuUkhZXN0VxHd" crossorigin="anonymous"></script>

As you see, we check with the integrity hash that the content is as expected.

You're right, these CDNs will see your IP.

Slower: usually browsers load multiple stuff in parallel IF it comes from different servers, which is the case here - so it might be in fact faster. Esp. if this popular stuff is already in your browser cache.

@ThomasWaldmann commented on GitHub (Dec 4, 2020): I guess you are referring to this: ``` <link href="https://stackpath.bootstrapcdn.com/bootstrap/3.4.1/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-HSMxcRTRxnN+Bdg0JdbxYKrThecOKuH5zCYotlSAcp1+c8xmyTe9GYg1l9a69psu" crossorigin="anonymous"> <link href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.11.2/css/all.min.css" rel="stylesheet" integrity="sha256-+N4/V/SbAFiW1MPBCXnfnP9QSN3+Keu+NlB+0ev/YKQ=" crossorigin="anonymous" /> <script src="https://code.jquery.com/jquery-3.4.1.min.js" integrity="sha256-CSXorXvZcTkaix6Yvo6HppcZGetbYMGWSFlBw8HfCJo=" crossorigin="anonymous"></script> <script src="https://stackpath.bootstrapcdn.com/bootstrap/3.4.1/js/bootstrap.min.js" integrity="sha384-aJ21OjlMXNL5UyIl/XNwTMqvzeRMZH2w8c5cRVpzpU8Y5bApTppSuUkhZXN0VxHd" crossorigin="anonymous"></script> ``` As you see, we check with the integrity hash that the content is as expected. You're right, these CDNs will see your IP. Slower: usually browsers load multiple stuff in parallel IF it comes from different servers, which is the case here - so it might be in fact faster. Esp. if this popular stuff is already in your browser cache.

kerem commented

2026-02-26 10:30:58 +03:00

Author

Owner

@ThomasWaldmann commented on GitHub (Dec 4, 2020):

If we want to improve this, we could use xstatic-* pypi packages for the stuff needed (and package missing stuff like that, if something is missing).

PRs welcome!

@ThomasWaldmann commented on GitHub (Dec 4, 2020): If we want to improve this, we could use `xstatic-*` pypi packages for the stuff needed (and package missing stuff like that, if something is missing). PRs welcome!

kerem commented

2026-02-26 10:30:58 +03:00

Author

Owner

@dorsiflexion commented on GitHub (Dec 6, 2020):

Sorry for closing and reopening, I misclicked.

I guess you are referring to this: […]

Exactly, thanks. I forgot to mention the "names".

Slower: usually browsers load multiple stuff in parallel IF it comes from different servers, which is the case here - so it might be in fact faster. Esp. if this popular stuff is already in your browser cache.

There are also additional handshakes and ocsp queries – it depends. But the IP address and referrer leakage is the main issue here imho.

This should probably be mentioned, too: #23

@dorsiflexion commented on GitHub (Dec 6, 2020): Sorry for closing and reopening, I misclicked. > I guess you are referring to this: […] Exactly, thanks. I forgot to mention the "names". > Slower: usually browsers load multiple stuff in parallel IF it comes from different servers, which is the case here - so it might be in fact faster. Esp. if this popular stuff is already in your browser cache. There are also additional handshakes and ocsp queries – it depends. But the IP address and referrer leakage is the main issue here imho. This should probably be mentioned, too: #23