Disable JQuery CDN by default
bh
Public
Seen by 71
I was encountered problem in pod configuration files. Feature "jquery_cdn" (take jquery script from jquery.com) is enabled by default. This can compromise security and makes diaspora centralized, because JQuery.com can replace the script. I'm podmin and i was never thunk that this feature was enabled at my pod, because i kept this option commented (screened by #) in configuration, and i was sure but... I was should to uncomment option in configuration and explicit disable it (erase 'true' and type 'false')
I suggest to disable jquery_cdn in defaults.yml. Podmis may uncomment this option in diaspora.yml and enable JQuery CDN if necessary.
Poll Created Thu 10 Jul 2014 6:59AM
Change jquery_cdn in defaults.yml to false Closed Sun 20 Jul 2014 6:10AM
Currently jquery_cdn is by default true - which means diaspora* will fetch the jQuery javascript from the official jQuery servers. If this setting is false, diaspora* will itself serve jQuery.
Pros to having this default to true (like it is now):
- Save some bandwith for pod maintainer
- Faster page loading since most users will already have jQuery cached from the CDN (=half of the internet uses it)
Cons to having this default to true (like it is now):
- Each page load makes a request also to the jQuery servers - potential privacy issue if someone is worried about that
- Problems with jQuery servers would create problems for diaspora* pods (as unlikely as that is, it is possible)
So, this proposal gives the following options:
YES - change jquery_cdn to FALSE - ie diaspora server will server jquery directly to user
NO/BLOCK - keep jquery_cdn as TRUE - ie user browser fill fetch jquery from jquery servers
NOTE! Podmins can always change this setting, whatever the default is.
Results
| Results | Option | % of points | Voters | |
|---|---|---|---|---|
|
|
Agree | 83.3% | 15 |
|
| Abstain | 16.7% | 3 |
|
|
| Disagree | 0.0% | 0 | ||
| Block | 0.0% | 0 | ||
| Undecided | 0% | 129 |
|
18 of 147 people have participated (12%)
Flaburgan
Thu 10 Jul 2014 7:01AM
It's only a setting anyway, podmins of big pod would be aware of that and can change it really easily.
Rich
Thu 10 Jul 2014 8:08AM
As much as possible should be done to protect pods and users (for both security and privacy) by default.
Karthikeyan A K
Thu 10 Jul 2014 2:07PM
Yup, that will be good
goob
Mon 14 Jul 2014 9:37AM
I'm happy either way, as long as the config file states clearly what the default is.
Florian Staudacher
Tue 15 Jul 2014 10:53AM
@goob +1
Jason Robinson Thu 10 Jul 2014 7:06AM
While I personally think using the jQuery CDN is a good thing to do (and will continue to do on my pod) - I also think it would probably be better to default to false here, so that podmins who want to use it will need to actually enable it.
Jason Robinson Wed 16 Jul 2014 10:49AM
I think our opinion is quite clear on this. Do we also agree this change should be pushed out in the next major release, not the next minor release? IMHO this should be in a major release since it changes old configuration defaults.
goob Wed 16 Jul 2014 3:38PM
I don't think there's any hurry to push out this change, since any podmin can easily switch off CDN. I'd suggest clarifying the explanation in the config file in the very next release, so that no one can be confused about what is the default setting, and then changing the actual default setting in the next major release, as you suggest.
Jason Robinson · Thu 10 Jul 2014 7:00AM
I created a proposal since I think there is not much to discuss here - we either have it default to false or true and what each means is quite clear :)