Disable JQuery CDN by default
bh
Public
Seen by 71
I was encountered problem in pod configuration files. Feature "jquery_cdn" (take jquery script from jquery.com) is enabled by default. This can compromise security and makes diaspora centralized, because JQuery.com can replace the script. I'm podmin and i was never thunk that this feature was enabled at my pod, because i kept this option commented (screened by #) in configuration, and i was sure but... I was should to uncomment option in configuration and explicit disable it (erase 'true' and type 'false')
I suggest to disable jquery_cdn in defaults.yml. Podmis may uncomment this option in diaspora.yml and enable JQuery CDN if necessary.
Flaburgan Wed 9 Jul 2014 4:15PM
@rich1 we recently changed the CDN from google's one to JQuery one. But I agree here, the default value should be "do not use the CDN".
Eduardo Wed 9 Jul 2014 5:00PM
If Diaspora* don't use CDNs, the page load will be slower.
The use of CDN has more advantages than disadvantages.
bh Wed 9 Jul 2014 5:48PM
It's price which we should pay for decentralization. Diaspora have many problems associated with decentralization - for example we have no search through all pods. By using JQuery.com or any other corporate CDN provider we make network centralized. Owners of jquery.com may replace the script and disable most of pods or stole a data passed via jquery.
Anyway discussion only about default settings. Podmin can easy enable CDN by removing single sharp-character (#) from configuration file.
goob Wed 9 Jul 2014 5:58PM
I thought CDN for jQuery was disabled by default. Certainly that's what the yml config file implies.
Can someone with core code knowledge confirm whether or not the code does use jQuery.com's CDN as default?
I don't think it matters too much whether the CDN is enabled or disabled by default - it brings performance improvements, and any particularly privacy-conscious podmin can easily disable it - but the important thing is that the text in the config file must clearly explain what is the default case - enabled or disabled. That's what needs to be fixed if it's not clear at the moment.
Rich Wed 9 Jul 2014 6:08PM
The 0.4.0.1 source "diaspora.yml.example" file says:
#jquery_cdn: true
So CDN is disabled by default.
bh Wed 9 Jul 2014 6:10PM
Problem in file config/defaults.yml at line 44
https://github.com/diaspora/diaspora/blob/develop/config/defaults.yml#L44
If we write in decription somthing like this: "Don't include jQuery from jquery.com's CDN. jQuery is included from jquery.com's CDN by default. This feature potentially saves you some traffic and speeds up load time since most clients already have this one cached. You can disable it by uncomment following line, if you want to host jQuery at your pod.
#jquery_cdn: false"
This description still unclear because description should describe what the setting does, not what the provided example would do if enabled.
You may look example configuration with description https://github.com/diaspora/diaspora/blob/develop/config/diaspora.yml.example#L173
Rich Wed 9 Jul 2014 6:11PM
but the 0.4.0.1 source “defaults.yml” file says:
jquery_cdn: true
Maybe someone could confirm that settings made in "diaspora.yml" override those made in "defaults.yml" ?
(as I'm confused now too)
bh Wed 9 Jul 2014 6:18PM
Yes, Rich! I was misled like you. When i kept line '#jquery_cdn: true' screened CDN was enabled.
bh Wed 9 Jul 2014 6:24PM
If diaspora.yml have no value of option (or option screened by #), then option value takes from defaults.yml.
So i should explicitly write 'jquery_cdn: false' in diaspora.yml to disable this feature. In other case CDN will enabled.
Rich · Wed 9 Jul 2014 4:11PM
Excellent idea, why has no one thought of this before?