fonts.gstatic.com Preconnect
This is urgent!
One of my clients has been fined because the website still connects to fonts.gstatic.com because of brizy (even though no Google Fonts are used, only self-integrated, locally stored fonts). The attached code can be found on each of my 100+ brizy websites:
<link class="brz-link brz-link-google-prefetch" rel="dns-prefetch" href="//ajax.googleapis.com"> <link class="brz-link brz-link-google-prefetch" rel="dns-prefetch" href="//fonts.googleapis.com"> <link class="brz-link brz-link-google-preconnect" rel="preconnect" href="https://fonts.gstatic.com/" crossorigin>
The DNS PREFETCH are unnecessary, but at least no connection is made. It is different with PRECONNECT, here the target server is contacted and thus the IP of the user is transferred!
I appreciate the effort of the brizy team to make brizy even faster, but please not at the cost of legal compliance.
How can PRECONNECT (and best also DNS-PREFETCH) for fonts.gstatic.com be switched off?
Regards
Karl
-
Hi Karl
Sorry; your message was in SPAM folder and hence it took a while for us to see it.
Have you set a local font as the default fall back font? Please take a look at this video for the procedure to set the default font. https://jmp.sh/ReJ33Qk If you have not done this, please do this and check if you still see any request going to fonts.gstatic.com
0 -
Hi KC,
Thanks for your reply.
My font library contains two fonts, both manually uploaded:
"Lato neu" (neu is german for new) is default/fallback, SuiGeneris the main font. I use this and similar settings since it was possible to get rid of Lato (and all the other fonts loaded via Google Fonts) as default/fallback. The preconnect is still there:
0 -
Hi Karl,
Can you please specify your URL so that we can take a look?
0 -
Hi KC,
Can you please send me a message to my accounts email, so i can send you the url to one of my testsites and login credetials.
0 -
Hi Karl,
Please send the URL and the login details to kc.george@brizy.io. Please let me know here once you have sent it.
0 -
Hi KC,
I just sent an email, please check your inbox!0 -
Hi Karl,
I have looked at your test website. Let me give you my thoughts on why I believe the General Data Protection Regulation may not apply in case of your test website.
GDPR Entry point
If an organization/website collects, uses, or stores PERSONAL data of people in the EU, then they must comply with the GDPR’s privacy and security requirements. If they do not collect, use or store personal data, the General Data Protection Regulation does not apply to the organization/website. Please refer to https://gdpr.eu/eu-gdpr-personal-data/
What is Personal data?
Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Please refer to https://gdpr.eu/eu-gdpr-personal-data/
Does Brizy collect, use or store personal data?
Have a look at this document for the data that Brizy collects on a WordPress website. https://support.brizy.io/hc/en-us/articles/7421688586385-What-cookies-does-Brizy-WordPress-store- As you can see on this webpage, the data that is being collected and stored in the user's browser does not qualify as personal data as per the GDPR definitions.
Does Brizy transfer user data?
The user data collected are stored in LocalStorages and not in cookies. LocalStorage data are not transferred to any server any where on the planet whereas cookies are exchanged with the server on every HTTP request. Please refer to: https://www.xenonstack.com/insights/local-vs-session-storage-vs-cookie Please also refer to https://gdpr-text.com/read/article-44/
Does your test webpage transfer user data to Google?
I have carried out a performance test on https://tests.laendle.io/ Please have a look at the report here https://gtmetrix.com/reports/tests.laendle.io/gxUXAooK/
In this video, I am walking you through waterfall of your test webpage. https://jmp.sh/8Oafx81 You will see that your webpage makes 35 requests for different resources. Out of the 35 requests, 33 requests are going to your own website tests.laendle.io. Two requests are going youtube.com. Your webpage is requesting and downloading two files from Youtube
- https://www.youtube.com/iframe_api
- https://www.youtube.com/s/player/afeb58ff/www-widgetapi.vflset/www-widgetapi.js
Since no personal data is collected and transferred to YouTube, General Data Protection Regulation should not apply in case of your website.
DNS prefetch and preconnect in the page source
Only if your website sends a request to fonts.googleapis.com, can it transfer any data. While you can see the below code in the page source, you will notice from the GT Metrix waterfall, that your website does not make any request whatsoever to fonts.googleapis.com
</style><meta name="viewport" content="width=device-width, initial-scale=1">
<link class="brz-link brz-link-google-prefetch" rel="dns-prefetch" href="//ajax.googleapis.com"> <link class="brz-link brz-link-google-prefetch" rel="dns-prefetch" href="//fonts.googleapis.com"> <link class="brz-link brz-link-google-preconnect" rel="preconnect" href="https://fonts.gstatic.com/" crossorigin>0 -
Hi KC,
Thanks for your elaborated response.
I am well aware of the fact that no (file-)requests are made to fonts.googleapis.com or any other Google related IP. But still the PRECONNECT is a directive for the user agent to do a full handshake:
"The user agent should attempt to initiate a preconnect and perform the full connection handshake [...] whenever possible" - https://html.spec.whatwg.org/multipage/links.html#link-type-preconnectTherefore the IP of the user is also transmitted to Google (the TCP three-way handshake process is based on TCP/IP).
So if not for legal reasons you should at least consider to make DNS-PREFETCH and PRECONNECT optional as soon no Google resources are used. Otherwise it's not a performance optimization but quite the opposite.
0 -
Hi Karl,
I agree; we will add a request to remove DNS-PREFETCH and PRECONNECT from the Brizy code when Google hosted fonts are not being used. We are also working on removing the two unnecessary requests going to youtube.com
Thanks
0 -
Hi KC,
Thanks, this is great news.
Looking forward to a even more improved brizy! :)
0 -
We need this ASAP!
0 -
Hi KC,
Thanks for update 2.4.7. At least we can now use external fonts again.
Unfortunately the preconnect code is still there. After switching to bunny.net this preconnect is even more useless. The user's IP is still transmitted to Google. Please fix this!
Another small thing about the fonts integration: In the fonts manager under "add new" it still says "Google Fonts". Please change that to "Bunny Fonts" or "External Fonts". Thanks.
Best regards
Karl0 -
Hi Karl,
Yes; we have not made any progress in eliminating pointless code. We are working on this and an another GDPR-related issue.
I appreciate you bringing this up. The fonts are part of the Google Fonts library, despite being hosted by Bunny fonts. Consequently, the name "Google fonts" may not be entirely inaccurate. We might include "Bunny hosted". We'll look into this.
0 -
One week later and the prefetch is still in the code. Also, you (i.e. Brizy) may not see it as an urgent problem but KC said one of his clients has already been fined because of this prefetch and it is only a matter of time before some gung-ho lawyer makes a point of targeting Brizy websites to make some easy money and an example of us all.
0 -
Hi Terry,
I can confirm that this is in the list of requests and we will eventually get to it.
Google used to track IP address of the browsers requesting fonts from fonts.gstatic.com and fonts.googleapis.com. They stopped doing it after the Munich verdict. Please see what Google says regarding IP tracking on their website at https://developers.google.com/fonts/faq
The Google Fonts API logs the details of the HTTP request, which includes the timestamp, requested URL, and all HTTP headers (including referrer and user agent string) provided in connection with the use of our CSS API. IP addresses are not logged.
0
Please sign in to leave a comment.
Comments
15 comments