Discussion if Google Fonts is GDPR compliant(github.com)
github.com
Discussion if Google Fonts is GDPR compliant
https://github.com/google/fonts/issues/1495
75 comments
Or website operators could stop embedding objects hosted by Google. GDPR protects users to some extent, but sites should protect themselves, too. The information available to hosts of embedded assets is quite valuable, especially when those assets are in the form of scripts, and sites should seriously consider monetizing that information themselves rather than just giving it away.
Except that a shared CDN which everyone uses results in better performance.
For the popular fonts, a user probably already has them in their browser cache from other sites, so they load instantly.
Having sites redundantly host identical font files separately is a step backwards for users, who wind up waiting longer for a page to load, or experiencing the jarring FOUT (Flash Of Unstyled Text).
For the popular fonts, a user probably already has them in their browser cache from other sites, so they load instantly.
Having sites redundantly host identical font files separately is a step backwards for users, who wind up waiting longer for a page to load, or experiencing the jarring FOUT (Flash Of Unstyled Text).
> Except that a shared CDN which everyone uses results in better performance.
This is thrown around a lot, but very rarely with hard numbers to support it. A cold DNS cache costs at least one roundtrip, a cold SSL session cache costs several, a new SSL connection (presently) costs at least 2.
Meanwhile, all the above is necessary to talk to an origin site anyway, and networking performance for the best part of 10 years has been dominated by latency (i.e. roundtrips) rather than throughput.
Hoping the user had an idle connection to the Google CDN when measuring cold request start is wishful thinking
Meanwhile self-hosted reuses all of the above and enables assets to be combined into a single transaction, which vastly improves the behaviour of TCP cold start
This is thrown around a lot, but very rarely with hard numbers to support it. A cold DNS cache costs at least one roundtrip, a cold SSL session cache costs several, a new SSL connection (presently) costs at least 2.
Meanwhile, all the above is necessary to talk to an origin site anyway, and networking performance for the best part of 10 years has been dominated by latency (i.e. roundtrips) rather than throughput.
Hoping the user had an idle connection to the Google CDN when measuring cold request start is wishful thinking
Meanwhile self-hosted reuses all of the above and enables assets to be combined into a single transaction, which vastly improves the behaviour of TCP cold start
From googling: https://www.keycdn.com/blog/web-font-performance/
Skip to "Here is a comparison of hosting Open Sans locally vs Google CDN."
They found it was faster to use a Google CDN. One of the things this article suspects is that CDNs will have better world-wide coverage, and therefore overall latency, than hosting your font yourself.
I'd like to see a comprehensive study of your counter point, though.
Skip to "Here is a comparison of hosting Open Sans locally vs Google CDN."
They found it was faster to use a Google CDN. One of the things this article suspects is that CDNs will have better world-wide coverage, and therefore overall latency, than hosting your font yourself.
I'd like to see a comprehensive study of your counter point, though.
55ms is something, but that chart baseline is not 0ms and makes it look like the difference is waaay more significant :)
This test was performed with a single client based in LA, and concluded the fastest font - Open Sans - downloaded in 476ms. The test fails to measure how much of this is setup time vs transfer time, or account for behaviour of TCP during the transfer. You will find, and I will measure this for you if you really want, that setup time absolutely dominates this cost.
If setup time is amortized across all assets on a site, as it is when self-hosted, the true cost of the 220KiB font download will be vastly lower -- closer to 100ms assuming a sufficiently warm TCP connection over even an 8Mbit link, and significantly less again with faster links.
As for browser-side caching, this is once again wishful thinking and there is no room for it in any kind of engineering discipline
If setup time is amortized across all assets on a site, as it is when self-hosted, the true cost of the 220KiB font download will be vastly lower -- closer to 100ms assuming a sufficiently warm TCP connection over even an 8Mbit link, and significantly less again with faster links.
As for browser-side caching, this is once again wishful thinking and there is no room for it in any kind of engineering discipline
Does Google Fonts even use TCP? It might be HTTP2+QUIC.
> "... hosting Open Sans locally vs Google CDN."
Both of these are still a lot slower than simply installing the font in the OS (or browser) and loading out of the filesystem block cache (or using the already-loaded font in browser memory). Open Sans is Apache License 2.0, so it should be easy for browsers/OS to provide it as a standard font instead of merely the "web safe" set of fonts.
Both of these are still a lot slower than simply installing the font in the OS (or browser) and loading out of the filesystem block cache (or using the already-loaded font in browser memory). Open Sans is Apache License 2.0, so it should be easy for browsers/OS to provide it as a standard font instead of merely the "web safe" set of fonts.
The caching happens browser level. Chrome won't bother opening a connection if it sees a URL it knows.
The user's browser often doesn't need to make any request to Google's CDN because the font has already been downloaded and cached for use from some other site. Self-hosting doesn't allow this.
Even if we solve this problem by getting the users permission, or using signatures instead of a URL that points off site, or with a proxy (transparent/hosting at server/tor) then what is the next complaint?
Do we trust the server we're connecting to with their own TLS certificate revocation status? DNS? What about all hops along my network path? Email headers?
I doubt this was the intent. Using the Internet is inherently public. Privacy is hard and needs a clear separation / promise to the user. With that, Governments should have an awareness campaign so people know when they visit their bank website that they may be accessing third parties for fonts and tracking and that only their financial information is private.
Do we trust the server we're connecting to with their own TLS certificate revocation status? DNS? What about all hops along my network path? Email headers?
I doubt this was the intent. Using the Internet is inherently public. Privacy is hard and needs a clear separation / promise to the user. With that, Governments should have an awareness campaign so people know when they visit their bank website that they may be accessing third parties for fonts and tracking and that only their financial information is private.
Moreover, the browsers have a caching mechanism.
Additionally, it should improve with HTTP/2 because servers can push the fonts immediately and because of connection multiplexing?
If everyone dumped their excess tracking JavaScript, but added locally-hosted fonts, the net difference would still be far superior performance to what the average user is used to.
Or you could just use a selection of common system fonts, and not host any fonts at all.
Or you could just use a selection of common system fonts, and not host any fonts at all.
There are better solutions to this problem which don't use CDNs. Particularly, using secure hashes of resources allows users to load the fonts from cache even if they're stored at different URIs, while preventing various hacks that can occur with a CDN.
Right, so it's a question of performance vs privacy. Which is a very legitimate debate.
The joke is that nothing is gdpr compliant.
I've not met 1 company who met all aspects of this law.
I'd guess this also means that any asset in a 3rd party CDN would be non compliant with gdpr
I've not met 1 company who met all aspects of this law.
I'd guess this also means that any asset in a 3rd party CDN would be non compliant with gdpr
When nobody is compliant, the regulating authorities can pick whoever they want to prosecute, including favoring turning a blind eye towards local companies and targeting foreign companies.
The GDPR is Working as Intended.
The GDPR is Working as Intended.
There is no major european internet company worth speaking about, so I think they probably don't care if it irreparable damages their own local companies in the process of damaging the foreign ones since they are virtually non existent anyhow.
Ironically the foreign big ones have enough resources to comply to the law, small local ones don't and will die/never be created in the first place.
> the regulating authorities can pick whoever they want to prosecute
It doesn't really work that way, at least not in germany, anyone can just sue (or threaten to sue) their competition over this (they already started) there is no such thing as this mythical benevolent authority who could stop this wanton destruction you are talking about.
Ironically the foreign big ones have enough resources to comply to the law, small local ones don't and will die/never be created in the first place.
> the regulating authorities can pick whoever they want to prosecute
It doesn't really work that way, at least not in germany, anyone can just sue (or threaten to sue) their competition over this (they already started) there is no such thing as this mythical benevolent authority who could stop this wanton destruction you are talking about.
> anyone can just sue (or threaten to sue) their competition over this
This is wrong. Competitors (and only competitors) can send a cease-and-desist letter based on competition law, because ignoring GDPR gives an unfair advantage - even that only in Germany because the tool used here ("Abmahnungen") are a unique german thing.
They are also a common thing between companies that don't "like" each other and if you send one you can expect to get one back. Receiving one costs ~1000 € (goes to the opposing lawyer) so they don't hurt much and the only one profiting is the lawyer.
This is wrong. Competitors (and only competitors) can send a cease-and-desist letter based on competition law, because ignoring GDPR gives an unfair advantage - even that only in Germany because the tool used here ("Abmahnungen") are a unique german thing.
They are also a common thing between companies that don't "like" each other and if you send one you can expect to get one back. Receiving one costs ~1000 € (goes to the opposing lawyer) so they don't hurt much and the only one profiting is the lawyer.
Yes competitors have an unjust advantage if they don't comply with GDRP and you can take legal action against them. There is no authority that goes around deciding when this actually makes sense or is harmful to the economy. Which was my point.
> the only one profiting is the lawyer
how would I not profit from my competition having to pay money, I don't care if I get the money.
> the only one profiting is the lawyer
how would I not profit from my competition having to pay money, I don't care if I get the money.
> Ironically the foreign big ones have enough resources to comply to the law, small local ones don't and will die/never be created in the first place.
Yep, that's what I've been saying all along, but people don't seem to understand.
The real cost of regulation isn't the cost of non-compliance and the punitive measures that follow. It is the cost of compliance, reporting, addressing an endless stream of complaints and requests for information.
Large companies have the resources to handle that, small ones don't.
Yep, that's what I've been saying all along, but people don't seem to understand.
The real cost of regulation isn't the cost of non-compliance and the punitive measures that follow. It is the cost of compliance, reporting, addressing an endless stream of complaints and requests for information.
Large companies have the resources to handle that, small ones don't.
The alternative to the GDPR was endless and increasing harm to users. The "invisible hand of the market" couldn't find a solution. So now we have regulation.
This is the world we live in. When the market fails to protect users, eventually there might actually be consequences.
So constructively, how do we solve this CDN problem while causing the least harm to both businesses and users? Perhaps identify assets by cryptographic signature rather than URL?
This is the world we live in. When the market fails to protect users, eventually there might actually be consequences.
So constructively, how do we solve this CDN problem while causing the least harm to both businesses and users? Perhaps identify assets by cryptographic signature rather than URL?
Can you explain what harm is being caused to users by accessing fonts off a CDN?
It potentially opens them up to tracking by whoever operates the CDN.
Sounds like FUD. You can say this about any web server. Also, "tracking" doesn't imply actual harm or abuse.
Is anyone dealing with 3rd party script/image loads at all? I just loaded a bunch of different major websites while watching the network tab in Firefox, and there wasn't a single site that didn't load ads and other assets from 3rd party domains. And that's before the "do you accept cookies?" prompt, assuming they have one at all. On most sites, it seems like it would be easier to list the advertising networks that aren't used than to list the ones that are used.
Wouldn't using cloudfront be compliant, because it's your bucket? Turn off the logs, then it's anonymous. Or did I miss anything?
IANAL but I think you still need to sign a data processing agreement with them and have your users confirm that they'll have access to their data.
Does Amazon do unreasonable things with your users' data? Because otherwise you wouldn't need consent.
The terms are broad in GDPR, so you need the DPA just for Amazon to store it, as that's "processing". However, you don't need your users to confirm that, they agree to share the information with you (controller) and you'll have some sort of terms in your privacy policy allowing you to share personal information with 3rd parties you regularly interact with for legitimate purposes who will be bound by the terms set forth in your own privacy policy.
No, you still need a processing agreement with Amazon, but that's not a problem.
your own bucket wouldn't benefit from browser url-based caching of common assets (libraries, fonts, etc)
have a Data Processing Agreement with the CDN, like with any hosting provider you use, spelling out a reasonable policy for what they do with your users data. Mention them in your privacy policy. Which Google could just offer as a self-service thing for Fonts, since it doesn't need any customization. And suddenly your use of the CDN is compliant.
You can absolutely store IP addresses (and other personal information) without consent and be GDPR compliant. You just need to explain what you are storing, for what purpose, who you share it with, how long it's stored, and comply with the "rights" put forth in the legislation. GDPR merely constrains what information Google can share without your consent and requires them to be more explicit in stating what information they gather about you.
Indirectly you share the users IP by letting their browser sand a get request to google. The problematic is the same for any CDN you use.
As far as I can see, the request that asks for the font is a simple GET. So does this mean that an HTTP request to third-party X, who will log the user's IP, User-Agent and possibly the origin, will now require an agreement with X and explicit consent from the user? If so, will the consent need to be established before the request?
I'm pretty sure you need a contract for data processing at least. I'm absolutely not shure if you also need consent. (please let me know if anyone found out!).
npr.org went back from WWW to what feels like WAP for those not giving consent.
npr.org went back from WWW to what feels like WAP for those not giving consent.
Think of all the lost productivity wasted on stuff like this...
Think of all the abuse prevented. It's a tradeoff.
Of course, if you're someone who profits off of abusing users, you may see the GDPR as wholly negative.
Of course, if you're someone who profits off of abusing users, you may see the GDPR as wholly negative.
This is generally dealt with through market choice, with people choosing the trade off that they perceive as optimal for themselves. Instead we now have one standard for data handling being imposed by the EU, and precluding a vast number of potentially more optimal interactions.
Your solution didn't work for users. It was a market failure that produced huge negative externalities borne by users, for which there was no practical means of redress.
Because users were faced with a raw deal, now we have regulation.
Because users were faced with a raw deal, now we have regulation.
The practical means of redress was the government empowering individuals with public funding for development of anonymity technologies, public directories comparing services and their abidance to voluntary data protection standards, and possibly public service announcements educating people about what data they disclose while browsing non-anonymously, or browsing particular types of websites, and how that data can be shared and used by private data collectors.
Regardless, I don't think it's clear that the benefits of the market being left to itself haven't outweighed the costs. My snap judgment (which isn't that useful when assessing massively complex topics like this) is that the benefits dwarf the costs.
Much of the internet services that have emerged over the last 20 years have been paid for by personal information that users have traded away in exchange for these services. Everything from Gmail, to Google searches, to Facebook, to millions of Youtube videos, to the vast amounts of self-help content one can find about any topic, is ad-funded, which depends in large part on this exchange of personal information for web services.
The problem is people are taking all of these services available on the web for granted, and recklessly assuming we would have all of them without the ability to target ads using collected PII, and with the added burden of complying with the onerous GDPR requirements.
Regardless, I don't think it's clear that the benefits of the market being left to itself haven't outweighed the costs. My snap judgment (which isn't that useful when assessing massively complex topics like this) is that the benefits dwarf the costs.
Much of the internet services that have emerged over the last 20 years have been paid for by personal information that users have traded away in exchange for these services. Everything from Gmail, to Google searches, to Facebook, to millions of Youtube videos, to the vast amounts of self-help content one can find about any topic, is ad-funded, which depends in large part on this exchange of personal information for web services.
The problem is people are taking all of these services available on the web for granted, and recklessly assuming we would have all of them without the ability to target ads using collected PII, and with the added burden of complying with the onerous GDPR requirements.
I like your proposals and I think they're a good start, but I don't think they are practical for a large portion of the population. They are only realistic for the wealthy, and most of us aren't wealthy.
People who are struggling to get by are not going to have the time, energy, or expertise to comparison shop. And when their identities get stolen because their personal information was leaked by a provider, they're just going to get crushed.
Those proposals of yours didn't happen for a reason: they are not in the interest of the capitalist class, and the way modern markets are set up, capitalists have way more power than other individual citizens.
Denied effective means of organizing to protect themselves from exploitation and abuse, is it any wonder that when the masses vote for politicians advocating regulation?
Find a variant of market Libertarianism where the majority of the population can actually defend their rights rather than get steamrolled and you'll see less regulation.
People who are struggling to get by are not going to have the time, energy, or expertise to comparison shop. And when their identities get stolen because their personal information was leaked by a provider, they're just going to get crushed.
Those proposals of yours didn't happen for a reason: they are not in the interest of the capitalist class, and the way modern markets are set up, capitalists have way more power than other individual citizens.
Denied effective means of organizing to protect themselves from exploitation and abuse, is it any wonder that when the masses vote for politicians advocating regulation?
Find a variant of market Libertarianism where the majority of the population can actually defend their rights rather than get steamrolled and you'll see less regulation.
>>People who are struggling to get by are not going to have the time, energy, or expertise to comparison shop. And when their identities get stolen because their personal information was leaked by a provider, they're just going to get crushed.
The cost to innovation is too steep a price for the additional safety gained. As it is, we don't live in a safe world either way. We are constantly struggling against the forces of uncertainty.
It is only through innovation that we better enable ourselves to contend with these forces.
Look at all of the web innovation that has arisen over the last two decades. It's given us a significant boost in our ability to manage the world around us.
Restrictive regimes like GDPR inhibit the free flow of action that generates innovation. It's bad bargain.
>>Those proposals of yours didn't happen for a reason: they are not in the interest of the capitalist class, and the way modern markets are set up, capitalists have way more power than other individual citizens.
I don't agree with your classist categorizations, but let's just say there is a powerful special interest that stands in the way of a given political solution.
I'd argue that any effective solution would need to be implemented over the lobbying and resistance of one or more of said powerful special interest groups.
If a political solution didn't need to be implemented over the objections of one of these groups, then I'd argue that it's almost certainly not effective, for one or more reasons.
So I'd say it's better to not implement a political change, if the ideal solution is not viable.
The cost to innovation is too steep a price for the additional safety gained. As it is, we don't live in a safe world either way. We are constantly struggling against the forces of uncertainty.
It is only through innovation that we better enable ourselves to contend with these forces.
Look at all of the web innovation that has arisen over the last two decades. It's given us a significant boost in our ability to manage the world around us.
Restrictive regimes like GDPR inhibit the free flow of action that generates innovation. It's bad bargain.
>>Those proposals of yours didn't happen for a reason: they are not in the interest of the capitalist class, and the way modern markets are set up, capitalists have way more power than other individual citizens.
I don't agree with your classist categorizations, but let's just say there is a powerful special interest that stands in the way of a given political solution.
I'd argue that any effective solution would need to be implemented over the lobbying and resistance of one or more of said powerful special interest groups.
If a political solution didn't need to be implemented over the objections of one of these groups, then I'd argue that it's almost certainly not effective, for one or more reasons.
So I'd say it's better to not implement a political change, if the ideal solution is not viable.
I can't think of any abuse prevented.
Worst case, assume they are actually correlating this for ad tracking: you might get more relevant ads instead of generic junk that you have no interest in. That's actually the opposite of abuse.
Worst case, assume they are actually correlating this for ad tracking: you might get more relevant ads instead of generic junk that you have no interest in. That's actually the opposite of abuse.
If you fail to see how web fonts add value the tradeoff is different though. Google Fonts is just as useless as the old ‘sifr’ Flash crapplets, just as much a waste of resources and more of a waste of privacy.
unreal. and advocates deny any and all costs and collateral. i can't believe their spending limited political and financial capital on this rather than the multitude of real problems in the EU - without any compelling cost-benefit analysis no less.
Why is Google not answering that they do not track IPs ? it is likely they are tracking them, so are they tracking the IPs for security reasons or they mining the traffic.
Someone that knows more on how this work can you answer if Google can see more then your IP? like user agent or cookies ?
Someone that knows more on how this work can you answer if Google can see more then your IP? like user agent or cookies ?
Open the developer tools (F12) on any website that uses it and you can see in the network tab what it sends.
So yes, cookies, but the ones for the domain where the fonts are hosted, not the one you are visiting. Not sure about the referrer. User agent for sure.
So yes, cookies, but the ones for the domain where the fonts are hosted, not the one you are visiting. Not sure about the referrer. User agent for sure.
probably, at the very least for avoiding DOS attacks on important common assets. GDPR is one of the most shortsighted laws I've ever read
If you have read the law or this linked github page you have seen that security was considered, search for this text
The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, […] by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned.
Did you read this and it was not enough for you, Btw is DDOS and not DOS attacks (in case it was not a typo)
The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, […] by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned.
Did you read this and it was not enough for you, Btw is DDOS and not DOS attacks (in case it was not a typo)
Never mind Google Fonts, what about SafeBrowsing? What about Chrome?
I already saw the first legal actions against users of it...
Just based on the fact that Google's business model is inherently incompatible with privacy, I'd stay away.
It is in Google's best interest to sneakily track people despite claiming not doing so, and they can be very good at it and do in a way that's undetectable from the outside. In fact, I would be surprised if they're not doing this already.
It is in Google's best interest to sneakily track people despite claiming not doing so, and they can be very good at it and do in a way that's undetectable from the outside. In fact, I would be surprised if they're not doing this already.
Elaborate on this.
Are you saying Google has crossed the line into social intelligence territory like china has?
Is there evidence for this, beyond "google is bad!!1!" ?
Are you saying Google has crossed the line into social intelligence territory like china has?
Is there evidence for this, beyond "google is bad!!1!" ?
(Notes wifi is "off")
(Notes GPS is "off")
(Notes Location sharing somehow got turned on)
Hey, we need your help! How was $eatery_you_ate_at_last_night ?Can you give us direction how busy the $Business_you_parked_nearby is?
And, this https://www.google.com/maps/timeline?hl=en&authuser=0&pb
Google shouldn't even be collecting this. But they are. We know not how they use it. But if you have the data, of course you're using it!
Please change the title to "Discussion if Google Fonts is GDPR compliant".
In the current form the title "Google Fonts not GDPR compliant" is just FUD, as the argument "Google Font is ok because Google LLC is certified under the EU-U.S. Privacy Shield frameworks" holds some water imho.
In the current form the title "Google Fonts not GDPR compliant" is just FUD, as the argument "Google Font is ok because Google LLC is certified under the EU-U.S. Privacy Shield frameworks" holds some water imho.
> the argument "Google Font is ok because Google LLC is certified under the EU-U.S. Privacy Shield frameworks" holds some water imho.
While I wish that were the case, the Privacy Shield framework only legitimizes the cross-border transfer of the data. It doesn't have any bearing at all on the need for notice to users, contractual relationship with them as a processor/sub-processor, or the compliance of Google's use of that personal data once the cross-border transfer has occurred.
While I wish that were the case, the Privacy Shield framework only legitimizes the cross-border transfer of the data. It doesn't have any bearing at all on the need for notice to users, contractual relationship with them as a processor/sub-processor, or the compliance of Google's use of that personal data once the cross-border transfer has occurred.
Thank you for the suggestion.
The original title was however not FUD: Some Web site owners in Germany have received legal warnings for their use of Google Fonts which was considered as not GDPR compliant ( https://translate.google.com/translate?hl=en&sl=de&u=https:/... .)
The original title was however not FUD: Some Web site owners in Germany have received legal warnings for their use of Google Fonts which was considered as not GDPR compliant ( https://translate.google.com/translate?hl=en&sl=de&u=https:/... .)
The article you are linking to says that it is not clear if those German cease and desist letters are based on any facts or if they are itself just FUD.
This was flagged and dead so I vouched for it and it returned (I wasn't aware I had such power!)
I think it's a very valuable post but I agree the title needs fixing.
I think it's a very valuable post but I agree the title needs fixing.
I also asked a much more encompassing question here: https://news.ycombinator.com/item?id=17196169
In a nutshell, if I buy VPN access to a European GDPR compliant provider, do I get the rights listed in the GDPR?
In a nutshell, if I buy VPN access to a European GDPR compliant provider, do I get the rights listed in the GDPR?
You'd probably be treated by default as such because of the IP, but afaik it only applies to citizens so you probably wouldn't be able to sue if applicable. Or if you need to show ID for requesting your data to prove your identity (if they don't have an online, automated process, then that's quite standard).
No, as you are not a EU resident. But websites might treat you as if GDPR applies to you.
The real question is why you used Google Fonts in the first place. You're telling me downloading another megabyte (or more) of stock fonts — no actual corporate branding — is worth both your and my time? Yeah, no. Stick to core fonts which actually work and render well within the UA, or bring your own custom branded fonts, but don't bother me with half-baked stock fonts.
The same question for using random-js-library from googleapis.com: You're trying to tell me that giving Google (and anyone who somewhere between me and them takes control of that domain) full arbitrary code execution privileges within your origin is worth saving a one-off download of some JS library? I don't think so.
The same question for using random-js-library from googleapis.com: You're trying to tell me that giving Google (and anyone who somewhere between me and them takes control of that domain) full arbitrary code execution privileges within your origin is worth saving a one-off download of some JS library? I don't think so.
Using subresource integrity "random-js-library" hosted on a 3rd party isn't "arbitrary code execution", as the useragent will refuse to run the script if it's hash changes in any way from what you provided.
The same can be used with all other "subresources" like stylesheets and fonts! However Google specifically makes this hard as they have been known to update the served font from time to time, which if you are using SRI will break the font entirely.
The same can be used with all other "subresources" like stylesheets and fonts! However Google specifically makes this hard as they have been known to update the served font from time to time, which if you are using SRI will break the font entirely.
> Using subresource integrity "random-js-library" hosted on a 3rd party isn't "arbitrary code execution", as the useragent will refuse to run the script if it's hash changes in any way from what you provided.
That's true, but SRI is still rarely deployed; and no surprise there: the official Google docs don't use SRI in their "paste this into your code" examples: https://developers.google.com/speed/libraries/
Also, Edge still doesn't support SRI.
So, yes, for some UAs this specific problem (resource integrity) is a solved problem, but like I said, it's far from the default.
The other issues - lack of necessity, load time, degraded visual quality, giving user data away for free to an advertiser etc. - remain untouched.
That's true, but SRI is still rarely deployed; and no surprise there: the official Google docs don't use SRI in their "paste this into your code" examples: https://developers.google.com/speed/libraries/
Also, Edge still doesn't support SRI.
So, yes, for some UAs this specific problem (resource integrity) is a solved problem, but like I said, it's far from the default.
The other issues - lack of necessity, load time, degraded visual quality, giving user data away for free to an advertiser etc. - remain untouched.
I completely agree that it needs to be more widely used, and I absolutely think that google could go a long way toward making it more common.
But to be completely honest, lack of user agent support shouldn't be a reason to not use a feature. Edge doesn't support it, so Edge users are less secure. There are also user agents that have CORS restrictions disabled or don't support HSTS, but i'm still going to use and rely on both of those for security.
And it sounds like you and I disagree completely on the usefulness of fonts. For me a font isn't "unnecessary" any more than paint isn't necessary on a house. Sure, you could live in a house without paint, but I want paint on my house. As for longer load times, and degraded visual quality. The previous is being dealt with via new font-display css descriptor, and in browsers that don't support that they have timeouts of normally 3 seconds at most, and the former is an opinion that I absolutely don't share.
But to be completely honest, lack of user agent support shouldn't be a reason to not use a feature. Edge doesn't support it, so Edge users are less secure. There are also user agents that have CORS restrictions disabled or don't support HSTS, but i'm still going to use and rely on both of those for security.
And it sounds like you and I disagree completely on the usefulness of fonts. For me a font isn't "unnecessary" any more than paint isn't necessary on a house. Sure, you could live in a house without paint, but I want paint on my house. As for longer load times, and degraded visual quality. The previous is being dealt with via new font-display css descriptor, and in browsers that don't support that they have timeouts of normally 3 seconds at most, and the former is an opinion that I absolutely don't share.
so you think EU law should dictate viable fonts, libraries, and distribution methods? why is the EU so paternalistic and authoritarian? why don't they focus limited economic resources on bigger problems? where is the cost-benefit analysis?