Package: wordpress-theme-twentyfifteen Version: 4.1.1+dfsg-1 Severity: normal
Dear maintainer, the themes references Google servers for downloading fonts or CSS: /usr/share/wordpress/wp-content/themes> find -name "*php*" -or -name "*.js" | xargs egrep -ir "googleapis" ./twentyfourteen/functions.php: $font_url = add_query_arg( $query_args, '//fonts.googleapis.com/css' ); ./twentyfifteen/functions.php: ), '//fonts.googleapis.com/css' ); I only got aware of it after I installed Iceweasel Request Policy addon. I think this will give Google informations on the URLs the visitors of the wordpress site visit. And was quite angry as I found this out weeks after initially installing wordpress. I installed https://github.com/dimadin/disable-google-fonts to protect the privacy of the visitors of my wordpress site. According to Request Policy plugin this appears to work. I know that patching the theme to avoid accessing Google servers is extra maintenance work and may alter the appearence of the theme. For me wordpress looks well enough that way, I didnĀ“t notice any big difference. An alternative idea would be to package that addon and add a clear hint about it on installing wordpress package. I am concerned about it, cause it introduces a privacy leak that someone who installs wordpress can only notice by installing a privacy protection plugin, or analysing the network traffic or source code. I know lots of websites do it the same way meanwhile. But I really would prefer when CSS and fonts are embedded into the package. I see no need to push dialing to Google onto the client machines of the users who visit a wordpress site. In my eyes it is a silent leak of privacy, instead of having privacy as the default. Here Debian packaging of wordpress can stand out by caring about privacy. I only report this for the most recent theme package, but the twentyfourteen is also affected. I also think that the main wordpress package may contain additional leaks, at least from the grep output I got. Thank you for your consideration, Martin -- System Information: Debian Release: 7.8 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable'), (150, 'testing'), (100, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 3.16.0-4-686-pae (SMP w/1 CPU core) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- no debconf information -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
