GDPR, Stacks and local libraries


(Markus Frieauff ) #1

In order to make my website safe with regard to GDPR I have tried to host all required libraries locally, on my own server. I managed to replace the urls in the theme files that lead to several CDNs with local copies of the scripts. However, Stacks seems to add a reference to a Jquery deposit and insert that line of code into the plugin header:
<script type='text/javascript' charset='utf-8' src='https://ajax.googleapis.com/ajax/libs/jqueryui/1.11.4/jquery-ui.min.js'></script>

For the life of me I can’t find that anywhere. Even when I disable the CDNs in the Stack plugin preferences this line appears. Is there a way to get rid of it?


(Michael Frankland) #2

I think Google have already committed to GDPR compliance - or are working on it. So jQuery CDN, Google Fonts, Maps etc should be safe to use… but check here (bottom of page):


(Jan Fuellemann) #3

Yes, but we still have to write a new chapter in the data protection policy of our websites for this.

Can you please support the built in jquery of stacks for us - or give us the choice to do so?

Thank you!


(Markus Frieauff ) #4

Google’s compliance isn’t the point. It is the required consent of the visitors. As soon as the browser loads jQuery or a Google Font or a Google map it sends the IP address of the visitor to Google’s servers - without any option to ask for his consent beforehand.
I can host all the stuff locally and load it from
there. Not as comfortable because I’ll have to update it manually, but alas. But if the Stacks plugin automatically adds a jQuery call that I can’t modify this breaks the GDPR rules.
@isaiah can you please comment on this? Thanks!


(Jannis from inStacks Software) #5

jQuery and Font Awesome can be loaded as local option.
Not jQuery UI and other libraries (afaik).


(Markus Frieauff ) #6

Exactly what I observed - and this breaks the GDPR compliance of Stacks!


(Michael M.) #7

Google can agree to the GDPR but nevertheless it is not allowed to transfer any personal information (the ip is a personal information) without the visitors consent. If the visitor doesn‘t want that Google grabs his ip or other personal information we are not allowed to do this and we have to build our websites in a way the data transfer won’t be possible

Even Apple agreed to the GDPR but in their iCloud EULA they write that in some special cases they would give personal information to the US authorities. I think the other great players will do the same. Even If those companies accept the EU regulations this is no guarantee that no data will be transferred.

But what about fingerprinting…? We have no chance do do anything…?


(Will Woodgate) #8

Not sure if this will help, but if you click Prefs > HTML from the bottom right of your Stacks window, you can change where Stacks gets its jQuery / jQuery UI and Font Awesome icons from:

37

This screen grab is from Stacks 3.5 and I think this is an option available to the general public, not just developers or Beta testers. Unchecking the CDN options will load local versions of these instead that are hosted on your own website:

I’m in agreement with @Fuellemann and @therealmf. The way GDPR is written, Google and other CDNs are not compliant, based on my interpretation of the law. Disabling these calls to third-party sites appears to be the easiest form of compliance.

I am in the process of releasing free updates for some of my themes that remove the CDN links and use local versions of everything instead. So these updates combined with the above setting in Stacks should get you very close towards full GDPR compliance. If you are in need of specific theme updates from me, please get in touch.


(Jannis from inStacks Software) #9

AFAIK, this works only for the 3 shown libraries, not for jQuery UI.


(Markus Frieauff ) #10

Thanks Will. Unfortunately as Jannis already pointed out you can only disable the calling of some of the libraries and JQuery UI remains. I thinm Isaiah needs to fix this.


(Isaiah Carew) #11

OK, so there are two sort of swirling issues here, one about GDPR and one about jQueryUI on a CDN.

GDPR

I don’t live, work, or operate in the EU so don’t have a strong opinion on the GDPR. That said, my research seems to indicate that Google CDNs will be in compliance. However it does seem ambiguous enough that I certainly think there were be many who choose to read it that all CDNs have to be eliminated from the web and vice versa. And I’d like to make Stacks work well no matter which way you read it.

CDN disabling for jQueryUI

This is a bug – or rather a feature that was never completed in Stacks 3.x. We added the switches for other CDNs and libraries – but somehow just never added the button for jQueryUI. Ironically all the difficult code is included inside of Stacks as if the checkbox exists and there is even a copy of jQueryUI within Stacks – just no way to enable it!!! But in 3 years no one has noticed or cared until this new law. LOL :stuck_out_tongue_winking_eye:

Look for a bug fix for this in the coming week. I can’t say exactly when as any time I modify the UI things tend to take a few extra days. I’ll release it on the Slack channel (http://slack.yourhead.com) as a beta version as soon as it’s ready.

Isaiah


(Jan Fuellemann) #12

Thank you very much Isaiah :slight_smile: Hopefully in time so other Developers can update their stacks as well to support this. Thanks again, you are lifting a weight from our shoulders.


(Jannis from inStacks Software) #13

Other developers don’t habe to do anything about that. It’s you who has to un-check the box in order to use the local version.


(Jan Fuellemann) #14

That simple? I thought developers might have to add support for switching to a local library as they might have a hardcoded URL to this jQueryUI …


(Markus Frieauff ) #15

No. This is all about the general preference settings in the Stacks plugin. After the update we will be able to switch all four basic components from cdn to local.
There may (and will, most likely) be additional calls that single stack elements make but these have to be dealt with by the respective developers or by us modifying the stacks.
Thank you very much, Isaiah!


(Isaiah Carew) #16

You don’t need to do anything and neither do stack developers. Stack developers get to choose the library, it’s up to the user to determine the source of the library.

And local libraries are the default.

So if all goes as planned, it will just start using the built in local library after the next update.

You’ll need to republish any pages that use the jQueryUI library. Probably safest just to choose Republish All Files from the File menu after the update. That will make sure you get 'em all.

Isaiah


(Barrie McDermid) #17

Wouldn’t it be great if everything in life were this simple.

By simple, I mean someone clever just coming along and sorting it all out for you :wink:


(klaatu) #18

@Bazza
Thats just about my idea of hell, but I know what you mean.


(Michael M.) #19

That Google (and others) is now compliant to the to the GDPR solves only one problem. The other problem is that there are personal information still transferred outside the EU. That is the main problem and we have to ensure that our websites do not sent any information anywhere (especially outside the EU).


(Markus Frieauff ) #20

to be precise: it IS permitted to transfer personal data outside the EU. It just takes explicit consent of the visitor of the website. That’s what we need to ensure: that our sites don’t transmit ip addresses without explicit consent of the visitors to do so. Which requires the consent before any other library is being loaded from CDNs.