Disable JQuery CDN by default

I was encountered problem in pod configuration files. Feature “jquery_cdn” (take jquery script from jquery.com) is enabled by default. This can compromise security and makes diaspora centralized, because JQuery.com can replace the script. I’m podmin and i was never thunk that this feature was enabled at my pod, because i kept this option commented (screened by #) in configuration, and i was sure but… I was should to uncomment option in configuration and explicit disable it (erase ‘true’ and type ‘false’)

I suggest to disable jquery_cdn in defaults.yml. Podmis may uncomment this option in diaspora.yml and enable JQuery CDN if necessary.

Note: This discussion was imported from Loomio. Click here to view the original discussion.

Excellent idea, why has no one thought of this before?

@rich1 we recently changed the CDN from google’s one to JQuery one. But I agree here, the default value should be “do not use the CDN”.

If Diaspora* don’t use CDNs, the page load will be slower.
The use of CDN has more advantages than disadvantages.



It’s price which we should pay for decentralization. Diaspora have many problems associated with decentralization - for example we have no search through all pods. By using JQuery.com or any other corporate CDN provider we make network centralized. Owners of jquery.com may replace the script and disable most of pods or stole a data passed via jquery.

Anyway discussion only about default settings. Podmin can easy enable CDN by removing single sharp-character (#) from configuration file.

I thought CDN for jQuery was disabled by default. Certainly that’s what the yml config file implies.

Can someone with core code knowledge confirm whether or not the code does use jQuery.com’s CDN as default?

I don’t think it matters too much whether the CDN is enabled or disabled by default - it brings performance improvements, and any particularly privacy-conscious podmin can easily disable it - but the important thing is that the text in the config file must clearly explain what is the default case - enabled or disabled. That’s what needs to be fixed if it’s not clear at the moment.

The source “diaspora.yml.example” file says:

#jquery_cdn: true

So CDN is disabled by default.

Problem in file config/defaults.yml at line 44

If we write in decription somthing like this: “Don’t include jQuery from jquery.com’s CDN. jQuery is included from jquery.com’s CDN by default. This feature potentially saves you some traffic and speeds up load time since most clients already have this one cached. You can disable it by uncomment following line, if you want to host jQuery at your pod.
#jquery_cdn: false”

This description still unclear because description should describe what the setting does, not what the provided example would do if enabled.

You may look example configuration with description https://github.com/diaspora/diaspora/blob/develop/config/diaspora.yml.example#L173

but the source “defaults.yml” file says:

jquery_cdn: true

Maybe someone could confirm that settings made in “diaspora.yml” override those made in “defaults.yml” ?

(as I’m confused now too)

Yes, Rich! I was misled like you. When i kept line ‘#jquery_cdn: true’ screened CDN was enabled.

If diaspora.yml have no value of option (or option screened by #), then option value takes from defaults.yml.

So i should explicitly write ‘jquery_cdn: false’ in diaspora.yml to disable this feature. In other case CDN will enabled.

Proposal: Change jquery_cdn in defaults.yml to false

Currently jquery_cdn is by default true - which means diaspora* will fetch the jQuery javascript from the official jQuery servers. If this setting is false, diaspora* will itself serve jQuery.

Pros to having this default to true (like it is now):

  • Save some bandwith for pod maintainer
  • Faster page loading since most users will already have jQuery cached from the CDN (=half of the internet uses it)

Cons to having this default to true (like it is now):

  • Each page load makes a request also to the jQuery servers - potential privacy issue if someone is worried about that
  • Problems with jQuery servers would create problems for diaspora* pods (as unlikely as that is, it is possible)

So, this proposal gives the following options:

YES - change jquery_cdn to FALSE - ie diaspora server will server jquery directly to user
NO/BLOCK - keep jquery_cdn as TRUE - ie user browser fill fetch jquery from jquery servers

NOTE! Podmins can always change this setting, whatever the default is.

Outcome: N/A


  • Yes: 15
  • Abstain: 3
  • No: 0
  • Block: 0

Note: This proposal was imported from Loomio. Vote details, some comments and metadata were not imported. Click here to view the proposal with all details on Loomio.

I created a proposal since I think there is not much to discuss here - we either have it default to false or true and what each means is quite clear :slight_smile:

While I personally think using the jQuery CDN is a good thing to do (and will continue to do on my pod) - I also think it would probably be better to default to false here, so that podmins who want to use it will need to actually enable it.

I think our opinion is quite clear on this. Do we also agree this change should be pushed out in the next major release, not the next minor release? IMHO this should be in a major release since it changes old configuration defaults.

I don’t think there’s any hurry to push out this change, since any podmin can easily switch off CDN. I’d suggest clarifying the explanation in the config file in the very next release, so that no one can be confused about what is the default setting, and then changing the actual default setting in the next major release, as you suggest.


Ok, what happens next in terms of getting this implemented ?

@rich1 I think Goob wrote out a good plan - reword the current setting in the next release, then change the setting in the next major release. Someone needs to do a pull, for example like 5065.

I could do a PR, but first I need a definitive answer from someone in the know about what the actual default position (if the line in the defaults file remains commented out) is.