-
Notifications
You must be signed in to change notification settings - Fork 62
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add LibreCounter stats #167
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Blocking for security reasons.
Integrating an external URL may be a vector of injection.
Thanks for PR, but if we go with this solution, we must deploy a https://github.com/alexfernandez/librecounter installation on our server.
Thanks for the review, @Eomm! I am a bit baffled though 🤔 May I ask what are the risks that you have in mind? It's not a script or an iframe: just an image tag You can also see on the original Docusaurus project that they similarly include an image from Netlify. |
I am also not convinced of the GPDR conformancy claim. Yes it is true, that not storing personal data is not a GDPR issue. But the issues are more about transferring or relaying the personal information to third party sites without consent. So if somebody visits fastify.dev, then it is a consentual interaction to process their IP and everything. In the moment we load external third-party resources, we force the visitor to also load the content and forcing to send the ip address to the third-party. Comparable to google fonts. |
@Uzlopak Well, it is true that you have to verify that any resources included in the page are also GDPR-compliant to be GDPR-compliant yourself. You have full access to the LibreCounter code, but I might surreptitiously change it to do mildly evil things like store IP addresses and user agents; not a lot of harm but possible mischief. To counter this, I can give you limited access to the server if you want, so you can audit the running code at any time. In any case I would be breaking the GDPR myself if I did this, and would be liable: I'm located in Spain and so is the server hosting librecounter.org. |
You dont store personal information and are gdpr conform. But by embedding the link to the external server which is loaded automatically with the image, we as the site owner need to get the consent of our visitor to send their data to your server. I actually wonder now if embedding the stars and fork buttons from github is gdpr conform or not. |
@Uzlopak That is not how it works AFAIK: you need user consent to send any tracking info to third parties, but this is not what is done here. The user is sending you their IP address and user agent, they get a webpage and then they instruct the browser to fetch all included images, so they are sending their IP address and user agent to other servers. The user may perfectly well not go to any other servers to fetch outside images. And as long as the third party server is invoked with a legitimate interest, as seen e.g. here, then you should be fine. But I would be happy to be proven wrong. |
As another data point, I don't think you are requesting (or actually need) user consent for embedding images from <img src="https://avatars.githubusercontent.com/u/5059100?v=4&s=192" alt="Aras Abbasi's profile picture" width="96" height="96" loading="lazy"> The web would break in a million places if embedding external images was not possible! |
Well, maybe we need consider to persist the avatars on our server instance. |
Opened #168 |
That is a weird conclusion, and quite pointlessly hostile in my opinion. In any case I will withdraw my submission since it's not appreciated, let me know if you are interested in my little project at any point. |
I dont know why you think that my conclusion would be hostile. I personally think your solution is awesome. But the GDPR aspect is for me not that clear, and your input was useful as it forces us to reconsider our gdpr conformancy as a whole. |
OK, I understand your point of view better now. Sorry for jumping to conclusions. I would think that self-hosting all images is detrimental for the project and would be a non-optimal outcome of my PR, but if you are going that path regardless, then I will keep the PR on hold until it is resolved, hopefully by (rightfully) determining that external images are OK as long as they are justified. |
Description
Add stats for fastify.dev on librecounter.org/fastify.dev/show. No cookies or tracking necessary. Please let me know if the chosen mode (hidden image) is appropriate, there are other options and I can implement another style if needed.
I found the way of adding raw HTML on this file from the original project. Can add arbitrary content.
Glad to give something back to Fastify as it has helped me on so many projects. Thanks!
Related Issues
Fixes #165.
Check List