Toolforge provides proxied mirrors of cdnjs and now fontcdn, for your usage and user-privacy

Tool owners want to create accessible and pleasing tools. The choice of fonts has previously been difficult, because directly accessing Google's large collection of open source and freely licensed fonts required sharing personally identifiable information (PII) such as IPs, referrer headers, etc with a third-party (Google). Embedding external resources (fonts, css, javascript, images, etc) from any third-party into webpages hosted on Toolforge or other Cloud VPS projects causes a potential conflict with the Wikimedia Privacy Policy. Web browsers will attempt to load the resources automatically and this will in turn expose the user's IP address, User-Agent, and other information that is by default included in an HTTP request to the third-party. This sharing of data with a third-party is a violation of the default Privacy Policy. With explict consent Toolforge and Cloud VPS projects can collect and share some information, but it is difficult to secure that consent with respect to embedded resources.

One way to avoid embedding third-party resources is for each Tool or Cloud VPS project to store a local copy of the resource and serve it directly to the visiting user. This works well from a technical point of view, but can be a maintenance burden for the application developer. It also defeats some of the benefits of using a content distribution network (CDN) like Google fonts where commonly used resources from many applications can share a single locally cached resource in the local web browser.

Since April 2015, Toolforge has provided a mirror of the popular cdnjs library collection to help Toolforge and Cloud VPS developers avoid embedding javascript resources. We did not have a similar solution for the popular Google Fonts CDN however. To resolve this, we first checked if the font files are available via bulk download anywhere, sort of like cdnjs, but they were not. Instead, @zhuyifei1999 and @bd808 have created a reverse proxy and forked a font-searching interface to simplify finding the altered font CSS URLs. You can use these features to find and use over 800 font families.

You can use these assets in your tools now!



Onwiki docs

Please give us feedback on how these features could be further improved, submit patches, or just show us how you are using them!

Written by Quiddity on Aug 2 2017, 1:55 AM.
Community Liaison and endlessly curious volunteer
D3r1ck01, Samwilson, mmodell and 3 others
"Like" token, awarded by D3r1ck01."Yellow Medal" token, awarded by Mholloway."Party Time" token, awarded by bd808.
This comment was removed by mmodell.

This is a brilliant service!

Is it possible to add a thing that provides the integrity attribute value for JS and CSS assets? e.g. the output of something like:

cat bootstrap.min.css | openssl dgst -sha384 -binary | openssl base64 -A

Or is that not required (come to think of it) for non-cross-domain requests...

Oh, it seems maybe CDNJS already might do this, judging by — but perhaps the version on Toolforge doesn't yet?

bd808 added a comment.Aug 24 2017, 3:33 AM

@Samwilson this sounds like something worth opening a task for. We don't run the same frontend or build script as the upstream, so what needs to be done here is to update our cdnjs-packages-gen script to compute the hashes when we update the repo mirror and then update rTCJS labs/tools/cdnjs-index to display the hashes somehow. We don't have a specific Phab project for cdnjs, so just tag it with Tools.