Disable calls to external servers (Google Fonts/APIs, Polyfill.io)

What did I miss in my reply? :)
Well, looking at your answer in post #29 I don't see it mentioned or I'm misunderstanding something. Didn't see it being referenced.

I'm talking about this:
pagead2.googlesyndication.com/pagead/js/adsbygoogle.js
So if this has to do with certain customizing requests then I did not understand it was this you were talking about in your reply.
 
FYI: as more customers having license with support contacted us - pre-release has them locally, next release will have polyfill/fonts local as well.
Thanks
Germany is very much a problem if not 100% GDPR for example, if one is having such external on site they have to warn upfront in the privacy statement, also if Server location is outside EU then ..

But for myself the security is the main problem external parts you don't expect in Admin server panel if not really neede to be external, as also in enhanced theme filemanager.
 
Well, looking at your answer in post #29 I don't see it mentioned or I'm misunderstanding something. Didn't see it being referenced.

I'm talking about this:

So if this has to do with certain customizing requests then I did not understand it was this you were talking about in your reply.
Yes, https://forum.directadmin.com/threa...nts-apis-polyfill-io.62649/page-2#post-323793 is the answer for it. You don't have any requests to that endpoint when you load Evolution skin. Having something in source code, does not mean it's loaded. For example, you may open any email client you use, it'll auto-have selections for gmail, outlook etc. providers, but it does not mean it'll send any queries to them if you don't select them :) And the source code will have references to the providers.
 
security is the main problem
The server doesn't send any cookie information or anything else, so, it's not about safety. The only information sent once in a year (because later it's cached and loaded from your browser) is IP address requesting that resource. If you've visited any other page, which loaded the same font - no requests are sent at all. And even that 1 time in a year when the visitor IP is known (as it's the end-customer requesting the resource) won't be there anymore.

Screenshot 2020-12-05 at 15.09.13.png
 
Sor
The server doesn't send any cookie information or anything else, so, it's not about safety. The only information sent once in a year (because later it's cached and loaded from your browser) is IP address requesting that resource. If you've visited any other page, which loaded the same font - no requests are sent at all. And even that 1 time in a year when the visitor IP is known (as it's the end-customer requesting the resource) won't be there anymore.

View attachment 3919
Yes it is, while you can't ever trust external that aren't from yourself upfront, and for the time using them, while one mistake somewhere with for example dns security somewhere and the scripts, files could be from a bogus server or site also later, this is real issue, no matter which scripts, fonts, whatever.

Also if one have strict secure ( or very strict privacy settings) settings, browser, firewall, router , things are not working with that!

See this example same base problem i think

Is not once most of people using strict security and privacy, clear everything in and from browser cache and cookies and more. ;)

Github content even once some bootstrap external cdn's where hacked/ bogus int the past, so why if not needed use xtnrl ;)
 
Last edited:
The only information sent once in a year (because later it's cached and loaded from your browser) is IP address requesting that resource.
Plus all browser/client information that's typically exchanged (browser, OS, resolution, etc.) + referrer (full URL), right?

Also if one have strict secure ( or very strict privacy settings) settings, browser, firewall, router , things are not working with that!

Yep, I know different companies where the IT adminstrators won't rely on caching, local storage, cookies, etc. to prevent issues after updates of their browsers or webapps. Thus this would happen more often for them.
 
I followed the 'Pre-release Binaries Download' guide for Debian 10. I still see Google Fonts and Polyfill on the admin page and on login page. The new pre-release version seems to be installed properly:

./directadmin o
Compiled on 'Debian 10.0 64-bit'
Compile time: Dec 5 2020 at 04:53:04
Timestamp: '1607169135'
Compiled with IPv6
Static binary: yes
commit sha: 7be62cc0
gettext support: yes
gettext path: /usr/local/directadmin/data/lang

Can someone confirm that I did it correct? Restart of the service seems to be correctly done as I can see that DirectAdmin serves HTTP/2 now. Furthermore this information is shown:

Last UpdatedSat Dec 5 12:53:08 2020
Last Restart​
Mon Dec 7 00:19:23 2020
 
Last edited:
I think leaving feedback isn't appropriate for this kind of issue as it would mean a midterm or longterm solution would be fine. It's not a typical feature request but a critical bug that shouldn't be at all in the system.
This has been a problem since they changed their support structure. @bdacus01 opened up a feature request to notify bugs here:
 
FYI: as more customers having license with support contacted us - pre-release has them locally, next release will have polyfill/fonts local as well.
Glad it will be fixed but at the same time a very worrying situation. You're basically saying you will only "listen" to customers with licenses with support. This would make posting on this forum for customers without a license even more futile and even less bugs will get reported to you guys. Making DirectAdmin a less secure option in the long term.
 
Glad it will be fixed but at the same time a very worrying situation. You're basically saying you will only "listen" to customers with licenses with support. This would make posting on this forum for customers without a license even more futile and even less bugs will get reported to you guys. Making DirectAdmin a less secure option in the long term.
Yes, and I think a lot of custommers have directadmin trough their (virtual) server provider, and thus without support
 
Yes, and I think a lot of custommers have directadmin trough their (virtual) server provider, and thus without support
Providers likely have support included, so they can forward any requests directly (and then forward the answer back to you)
 
This will only make it less likely users will report bugs voluntarily though.
Uh wow ( i do understand you Tristan)
But not reporting BUGS to the right Support, as here the hoster is a nogo for Serveradmins.
While BUG is BUg and security prob is security prob.
So not reporting doesn't solve anything then.

However in Forum here are more users and also with licens DA, so asking them to report in stead should not be so difficult if important ones.. or?

That is the kindness of User / Serveradmin Support Forum, also you can even without license get paid support here from some experienced DA persons.

I only agree that for the hosters that are not doing support very well, this is hard then, but if you are at such a hoster, move as quick as you can.

Yup the problem managed not managed , then you have to find out yourself a lot more, but still real BUGS should be reported to hoster while you pay for a (good) working DA to them for your BOX/es.
 
I just installed latest pre-release binaries again, dated on today. Now Google Fonts is served from your own server but Polyfill still isn't.
 
You're basically saying you will only "listen" to customers with licenses with support. This would make posting on this forum for customers without a license even more futile and even less bugs will get reported to you guys.
This will only make it less likely users will report bugs voluntarily though.
But not reporting BUGS to the right Support,
Bug reporting should go directly to the Application development owner or team. Its their application, they developed it, and they are selling it. Its in Directadmin best interest to get Bug reports from anyone. A current support contract has nothing to do with code defects. The issue here for some is what is a bug and what is an enhancement or not a bug. However that is not a customer issue its the product developers issue. The customer should have a free and easy way to report anything they think is a Code defect aka bug.

What is support? What is the policy?

I thought support was for Technical issues. Most assumes the Application works as designed. If it doesn't then sure report it to support if you need help. If a bug is discovered here in the support process then great. However, if this is the only avenue to report bugs Directadmin is cheating themselves and the paying customers.

That's why there needs to be a separate process to report bugs.
 
I thought support was for Technical issues.
80-90% of bug reports are just technical issues they have, then they need to be investigated, and they get support at the end of this :) Forum is the best place for this. Did you see any real bug you're experiencing too ignored on the forums? (I guess no)
 
Back
Top