How to deal with ajax.googleapis.com?

[msxfm]

Issue by jsamuel
Thursday Dec 22, 2011 at 19:03 GMT
Originally opened as RequestPolicy/requestpolicy#267

---

imported trac ticket
created: 2011-10-04 22:15:41
reporter: shabbyrobe

Many sites depend on jQuery served by google. Can a separate tab be added to requestpolicy to allow resources like this to be loaded from an alternative place? For e.g. I could host my own version of jQuery and point http://ajax.googleapis.com/ajax/libs/jquery/1.5.2/jquery.min.js there instead.

I don't know that this is necessarily the solution (hence the vague ticket name, sorry about that), but RequestPolicy breaks websites left right and centre without ajax.googleapis.com whitelisted everywhere and then pow, they're tracking me again whether I like it or not.

I only installed RequestPolicy an hour ago and I'm already seeing three of my most visited websites (stackoverflow, slashdot and reddit) breaking.

[msxfm]

Comment by MadEgg
Wednesday Feb 29, 2012 at 10:45 GMT

---

It would be nice to have some built in way to do this. Currently, I'm redirecting ajax.googleapis.com to my own local webserver which is serving the requests for jquery etc, but it would be nice to have RequestPolicy take care of this.

[msxfm]

Comment by tpo
Monday Apr 15, 2013 at 13:06 GMT

---

When you get your *.js files from googleapis.com or similar, then - as far as I understand - google will only see:

• your cookie if it asks for it
• your IP
• the browser string
• the referrer

you can take care of cookies with CookieMonster or similar, by disallowing googleapis to set them, the browser string I don't know, but I guess there's an extension for that too, and you can disallow sending the referrer to google with RefControl.

That leaves google with your IP address which is not terribly telling. They will know that this IP, which they'll possibly correlate with your profile, is online and that's it.

I'm not saying that it this makes you invisible, but it reduces the damage somewhat.

I agree that I'd be very nice if RequestPolicy could let the browser cache jquery once and then "never again" let the browser access googleapis to get that same JS file.
*t

[msxfm]

Comment by sp00n
Thursday Jul 18, 2013 at 08:16 GMT

---

If you're really worried about Google, theoretically you could edit your hosts file to redirect ajax.googleapis.com to some other IP where you host the relevant JavaScript files yourself. Can even be 127.0.0.1, but as you cannot change the query path, you need to have at least some sort of web server running.

[msxfm]

Comment by asymmetric
Tuesday Dec 03, 2013 at 16:46 GMT

---

Take a look at this project, it aims at running a local mirror of ajax.googleapis.com.

It was thought to be run on OS X but should work with minimal configuration on other *nixes too.

[msxfm]

Comment by tpo
Saturday Dec 07, 2013 at 08:41 GMT

---

On Tue, 3 Dec 2013, Lorenzo Manacorda wrote:

Take a look at this project, it aims at running a local mirror of ajax.googleapis.com.

It was thought to be run on OS X but should work with minimal configuration on other *nixes too.

Thanks, I'll check it out.
*t

[nodiscc]

Copied from #396 :

replacing common, standard JS frameworks served remotely with local copies

I'd also like to see that, but in another addon. RP should limit itself to blocking requests to sites you don't trust. (also note that jquery.min.js when loaded from remote servers should remain cached locally unless you clear your cache)

An addon that does a local mirror of common js libs (usually fetched from CDNs) would be great, bit outside of scope for RequestPolicy, but definitely wanted.

[nodiscc]

Several partial solutions to this:

• Clear cookies regularly with addons like Self-Destructing Cookies
• Spoof your referer with SmartReferer to prevent ajax.googleapis.com from knowing what page you visit when the request is done
• Use your hosts file to redirect requests to jquery.js to a local file or a domain you control.
• Ask the site administrator to host their js libs themselves (eg. reddit.com has an option for this)
• Use a potential Scripts bundle requested in "bundle" rules #338
• Contribute to subscriptions to add a rule for sites that absolutely require calls to ajax.googleapis.com
• Take the time to allow the request if necessary, or live with the broken site. RequestPolicy is about user control on cross-site requests.

Closing this as I think everything has been said. Feel free to discuss this in General discussion or reopen this issue if appropriate.

[myrdd]

@nodiscc are you collecting all answers/explanations/statements for a potential FAQ (remembering them) like this one? If not, I'd do it.

👍 on your comment

[nodiscc]

Yep @myrdd questions like this one will be included in the FAQ (I'm still working on the doc/website, but directly editing the HTML to test ordering/readability/additions from requestpolicy.com
is a pain, so I'm currently doing it in a separate markdown file, and add it to the HTML when it's ready)

[nodiscc]

An addon that does a local mirror of common js libs (usually fetched from CDNs) would be great, bit outside of scope for RequestPolicy, but definitely wanted.

A possible candidate https://addons.mozilla.org/en-US/firefox/addon/decentraleyes/ (https://github.com/Synzvato/decentraleyes), untested.