(chore): Remove third party web dependencies.

[electricessence]

Although this may seem silly to some, on principle, Facebook for example does not use Google for analytics or any third party web dependencies which may compromise privacy or security. (Double-click is present after login.)

Keep in mind (no pun intended) that there is nothing wrong with including 3rd party scripts on public facing pages as long as they can be blocked and the site still work. Apparently Minds.com relies on other third party scripts to run properly.

But, let me be clear, it is ABSOLUTELY inappropriate to have present any 3rd party script on a page with a login. Period. I'll won't assume you understand why and I'll explain: Regardless of the perfectly reviewed benevolence of a 3rd party script, it is 3rd party and could change without 1st party control which could compromise any number of users. All scripts behind a login should be 1st party only.
Also remember that including Google Analytics on your website provides an open window for Google to build a perfect profile of who you are on a social network. Isn't that the job of the social network and not Google?

Minds.com uMatrix Profile

Facebook's uMatrix Profile

[001101]

lol

[markharding]

Thanks for opening the issue.

We do plan on using our own in house analytics engine in the future, but it would take a lot of time and energy (and expense) to create a reliable system.

Not all services can be hosted by Minds directly, like Stripe for example. We could of course collect the credit card and personal details ourselves, but then that puts the PCI compliance on our heads vs Stripes.

[ottman]

Thanks for this. Over time we hope to weed out as much 3rd party stuff as possible, ideally all, but that requires building massive new systems in house. If you have some reasonable recs for first steps feel free to suggest, but if people want to get paid, GA and stripe are necessary for the time being.

Fb itself is spyware. Our code is all open so you can see what we are doing.

[electricessence]

@markharding Is there a reason stripe is on the home/login page?

[electricessence]

I wrote an article about this topic here:
http://telegra.ph/Stop-Using-3rd-Party-Web-Scripts-NOW-02-24

[electricessence]

@ottman I'm with you. I think it's great to see an open source social network.
But IMO, Google is even worse then FB (spyware). It is IMO a crime to allow GA beyond your home page.

[markharding]

Yeah, Minds is a single page app and stripe was complainin when being loaded in asynchronously and gave various CORS error. Ideally we can find a work around to only require when needed.

…

On 24 Feb 2017 18:39, "electricessence" ***@***.***> wrote: @markharding <https://github.com/markharding> Is there a reason stripe is on the home/login page? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#27 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAz97ObHf9XXnI9nm4o5FCNZqyFgH3nlks5rfyP6gaJpZM4MLTkn> .

[electricessence]

@markharding, why would they complain about it being loaded async? Why wouldn't you load stripe's script only when it's needed? :|

[markharding]

Hey, if you want to take a stab at it then feel free. Braintree works asynchronously via SystemJS but Stripe played up.

…

On 24 Feb 2017 18:46, "electricessence" ***@***.***> wrote: @markharding <https://github.com/markharding>, why would they complain about it being loaded async? Why wouldn't you load stripe's script only when it's needed? :| — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#27 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAz97IH9-M-WSMiU_thNosXWD1BIClWiks5rfyWegaJpZM4MLTkn> .

[electricessence]

@markharding, I see, because it's a SPA, you're having difficulty managing that...

[z0noxz]

I was just about to create the same ticket but saw that this one already exist. Much of the external content would be easy to just copy, white-list (Content-Security-Policy: script-src) and load locally. I think both TinyMCE and fontawesome is GPL licensed, so no problem there, and for analytics (if needed) the ethical thing would be to have it FOSS for everyone to inspect, but I personally block GA in my firewall. And as I use both GNU LibreJS & RequestPolicy for externally loaded content and block googleapis.com in my firewall Minds.com looks quite bad for me :P

I'm of the same mind as the ticket's creator. Third parties should be nowhere near the login page.

In my case, using Aurora with NoScript, allowing everything on the login page except for Google Analytics (blocked system-wide) makes the background Earth video to come to the foreground and almost entirely cover the sign-up form [1]. The login form is not even loaded.
As a side note, the login cookies expire way too quickly, IMO.

Far be it from me to suggest priorities for the devel team, but I can't see anything more crucial than becoming free of Evil Corp. New features, even non-critical bug fixes become trivial in comparison.

Luckily for me, I'm only a social consumer of social media (pun absolutely intended) and am able to wait patiently for a very long time for all of this to come around.

[1] Screenshot