I only represent about 0.00000013% of all Chinese Internet users, but let me chime in: EVERY website that uses Google CDNs for js or fonts just doesn't work here. It just keeps loading and loading, and loading forever. In most cases it's jQuery, and in most cases it's in the <head> so the page just never shows. Cloudflare (cdnjs), Amazon CDNs, Akamai CDNs also occasionally get blocked and take entire Internet segments with them.<p>If you use 3rd party CDNs, please consider implementing client-side failover strategy so you don't leave out 50% of the Internet "population".
Firefox on Linux.<p>I use uBlock Origin, Ghostery and Disconnect, and Flash Control. peppercarrot.com is all zeroes for all three blockers, meaning nothing is blocked because there's nothing noticed that needs to be blocked. There are no Flash Control icons, meaning no video or audio noticed and blocked. Thanks for caring. :)<p>On the front page of theguardian.com, logged in as me, there's a <i>V</i> icon at the top, meaning that Flash Control has blocked video, probably for some gratuitous menu feature. I have zero trouble using and reading the site.<p>When I first opened theguardian a few minutes ago, uBlock was blocking 13 requests. It's steadily climbed in those minutes to 32 blocked requests. Ghostery is noticing/blocking 0 trackers. Disconnect is blocking two: nielsen and comscore. Disconnect is also blocking 1 from Facebook and 3 from Google. All three tools may be seeing and blocking some of the same things.<p>Without these four tools, except for low/no-commercial technical sites and public service sites like wikipedia my web is all but unusable. With them my web is fine.<p>I very rarely have any problems using any site. I had to enable my bank in uBlock to use their popup bill pay feature. I think I had trouble viewing a cartoon at The New Yorker; I forget what I did to view it. Youtube and Flash Control seem to be in a perpetual arms race, as was the case with Flashblock. Youtube is my main motivation for using Flash Control, to prevent automatic video playing.<p>And yep, I get that sites pay the bills with ads. I $ubscribe to three news sites, and I also get that that doesn't pay the whole bill. The web is either going to have to block me for using a blocker (I've been seeing that very rarely recently, or at least "Unblock us please") or figure out a less dangerous, intrusive and loadsome way to serve ads. (And yep, I just made up the word "loadsome." I can do anything!)<p>EDIT: I whitelist duckduckgo.com in uBlock.<p><a href="https://duck.co/help/company/advertising-and-affiliates" rel="nofollow">https://duck.co/help/company/advertising-and-affiliates</a><p><a href="https://duckduckgo.com/privacy" rel="nofollow">https://duckduckgo.com/privacy</a>
From the post:<p>"Well a big one: Privacy of the readers of Pepper&Carrot."<p>Before even thinking about tossing things like Google Fonts or AddThis or whatever, the very first thing you need to do is turn on HTTPS. If you're concerned about privacy, or content injection, or MITM attacks, or name-your-poison-here, you must immediately only serve up pages via HTTPS with strong encryption.
The only issue with going against the grain here if you're not putting your site itself behind a cdn. It'll vary in download rates across the global. This was the intended use case for CDNs, but analytics are added so CDNs can improve.<p>You're correct with the fact that they are tracking us, but there's a trade off that comes with this that holds tremendous value. If that value of speed isn't a factor or low on your list of priorities then by all means, sever everything.
The code injection problem can often (but not always) be solved via Subresource Intergrity <a href="https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity" rel="nofollow">https://developer.mozilla.org/en-US/docs/Web/Security/Subres...</a>
After working at an encrypted/private email service, this is my cup of tea. However, I'd like to go off-topic and point out that the comic looks fantastically well drawn: <a href="http://peppercarrot.com/en/article383/episode-19-pollution" rel="nofollow">http://peppercarrot.com/en/article383/episode-19-pollution</a>
CDN is common enough technique which should be standardized in browsers. HTML should include link to resource hosted by site and its checksum. Now browser can easily use cached resource from any other site with the same checksum or just download it from site.<p>There are 2 reasons to use CDN. First is caching (different sites using the same resource from the same CDN will download it only once), second is speed (some browsers restrict connection count to the same domain, so hosting resources on a different domains might improve download time). Caching is better solved by using checksum as a key, instead of URL. Speed with HTTP/2 is not an issue, because there's only one TCP connection. The only advantage of CDN might be geographically distributed servers, so user from China would download resource from China server instead of US server. I don't see easy and elegant way to solve it, but I'm not sure it should be solved at all, HTTP/2 pushing resources should be enough.
I use Decentraleyes to help with the CDN issue. It's not much but every little bit helps I think.<p><a href="https://addons.mozilla.org/firefox/addon/decentraleyes" rel="nofollow">https://addons.mozilla.org/firefox/addon/decentraleyes</a>
I use uMatrix and do not load external web fonts. I am stripping out CDN reliance in our stack at work as well. This practice of supporting secure protocols but still trading ease-of-development for end-user privacy & security must stop.
Maybe I'm missing something crucial, but why not just host the content on your own server? I.e., just download that Google font, jquery.js or FontAwesome and serve it directly instead of using an external CDN.<p>The post seems to say "I don't like where some content is coming from, so I re-created said content by myself".
Why use alternatives?<p>You can download the Google Web Fonts and serve them from your host.<p>You can also download and serve Font Awesome from local.<p>And there doesn't seem to be a reason why you can't do it with gravatar either.<p>I don't get this post honestly. It seems to be about replacing stuff with other stuff instead of replacing CDN with locally served content.
Good. Another reason not to use these CDNs is they're additional risk and introduce the potential for downtime and breakage. It's an additional point of failure that just doesn't come with many benefits.<p>I'll happily use these services for quick POCs and throwaway demos, but once anything starts to become semi-permanent I'll make sure I control my uptime and host these assets myself.
AddThis makes money by selling 3rd party audience segments to advertisers like me. I assume they get this data by tracking what users view what pages through their sharing buttons. Example segments I can buy to advertise too: <a href="http://i.imgur.com/JF6ZZPC.jpg" rel="nofollow">http://i.imgur.com/JF6ZZPC.jpg</a><p>The author doesn't even mention the big players: every FB share or like button, on all that nasty porn you watch (even in incognito mode), straight to FB. They recently changed their policies and signaled that they are going to start using this data for ad targeting, probably in a push to expand FAN and be more competitive with Google.<p>Something as simple as a share button that some blogger copy and pasted into their blog turned into an ad tech/data company!<p>I personally love that story and think that's cool and innovative thinking from AddThis.<p>But I also think more data = better ads, at the expense of privacy (probably not a popular opinion around here).
Off topic, but the root site of this blog post is pretty awesome - "Pepper & Carrot: A free, libre and open-source webcomic supported directly by its patrons to change the comic book industry!"
Wonder if there will be a time CDNs of these will pay you for the visitor data you 'share/leak' with them via the linked resources (to convince you to keep using them).
I really like CDNs because of the ability to drop in a file and know it will be cached correctly. (Also there is a high probability that your user already has a cached version of the file) But never thought about CDNs being able to track you.<p>Isn't there an alternative? A more transparant way to provide users with source files and still keep the 'cached items' aspect.
In the case of Google fonts, is it legally possible to download the font and serve it from one's own server? The FAQ has a relevant section, but does not answer this question: <a href="https://developers.google.com/fonts/faq" rel="nofollow">https://developers.google.com/fonts/faq</a>
So your main argument is privacy, not letting Google collect users' data, but then consider that most of your users are probably using Chrome, everything they type in the URL box is sent to Google (for autocompletion) anyway.<p>Is looking at some comics website even a privacy problem? Let's say google finds out your user X looks at your website. What possible damage can they do? Sell it to the advertisers so they can target X with some comics ad? If you ran a medical site, I would get it.<p>Then you have to give up other cool things like Google Analytics.<p>P.S.<p>Some beautiful artwork on your site.