
Decentraleyes – Local CDN Emulation - thunderbong
https://decentraleyes.org
======
cracker_jacks
> To learn more, or to download and install the free browser extension:

Edit: After re-reading this multiple times, I don't think this wording is
helpful. There should be a transparent description of what this extension
offers before users navigate to download and install options.

~~~
phoe-krk
You likely misread the sentence. It doesn't say "To learn more, download and
install the free browser extension:" \- it says, "To learn more, or to
download and install the free browser extension:" and then provides you with
links to the stores that contain the description for the extension:

> _Websites have increasingly begun to rely much more on large third-parties
> for content delivery. Canceling requests for ads or trackers is usually
> without issue, however blocking actual content, not unexpectedly, breaks
> pages. The aim of this add-on is to cut out the middleman by providing
> lightning speed delivery of local (bundled) files to improve online
> privacy._

I agree that it's a _very_ weird frontpage and means of describing an
extension, but you don't need to run their code before reading what the
extension does.

~~~
cracker_jacks
Thanks for clarifying for me. Updated my post.

------
gruez
I like the idea of the extension, but the implementation in lacking. According
to the project's gitlab[1], there's only a dozen or so libraries are actually
being served. It doesn't seem to cache google web fonts, for instance. Some
sibling comments mentioned LocalCDN, which has more libraries and also
includes fontawesome, but still lacks google fonts.

[1]
[https://git.synz.io/Synzvato/decentraleyes/-/tree/master/res...](https://git.synz.io/Synzvato/decentraleyes/-/tree/master/resources)

~~~
Ijumfs
We should all be turning off web fonts anyway.

~~~
alexchamberlain
Citation needed?

~~~
surround
Let’s say 80% of websites load Google Fonts. Now Google knows 80% of your
browsing history.

~~~
njsubedi
Google Fonts doesn't track the users, or associate the use with the user's
account.

~~~
LargoLasskhyfv
Says who? And why should i believe/trust that?

------
texs0987
See also LocalCDN

[https://codeberg.org/nobody/LocalCDN](https://codeberg.org/nobody/LocalCDN)

Its a fork from decentraleyes with some more libraries included.

~~~
unicornporn
Interesting. However, not a part of the Recommended Extensions program.
Decentraleyes is.

~~~
texs0987
Very true, although I do like the addition of font awesome and preprepared
ublock rules in the addon

------
viraptor
It's a cool idea, even if just for performance reasons. So many things come
from CDNs these days, we may as well start shopping the common ones ahead of
time.

But recently I learned something unexpected. Lots of extensions are terrible
with their resources. On a page targeting tech-savvy people, around 1% of
requests has some extension content injected into the website which requests
an external font file. (info comes from CSP reports) There's so much tracking
opportunity exposed through them.

~~~
DavideNL
> "even if just for performance reasons"

I don't think it matters for performance because it's cached in the browser
anyway... So the purpose of the extension is privacy.

~~~
gitgud
I may be wrong, but I don't think the browser caches CDN requests, at least
per site...

So this might be a performance gain too

[https://stackoverflow.com/questions/29704811/why-isnt-the-
br...](https://stackoverflow.com/questions/29704811/why-isnt-the-browser-
loading-cdn-file-from-cache)

~~~
minitech
The answer at that Stack Overflow question is seriously incomplete (and even
it doesn’t say there’s no cache). Browsers today will, for the most part,
cache CDN responses, not need to revalidate them, and share that cache across
sites (though I think first-party isolation changes that to a per-site cache).

~~~
m463
Stop. Go and look at the stack overflow. Then view source and look at the CDN
links stack overflow uses.

~~~
minitech
Is your comment intended to be rude? Maybe more importantly: is intended to
have a point?

------
indigo945
This addon is also useful when traveling in China. Since everything Google is
blocked by the Great Firewall, the Google CDN is, by extension, also blocked.
This breaks a lot of sites that would otherwise be reachable. Since with
Decentraleyes, no requests to CDNs need to be made, those sites will continue
to work as expected.

------
WJW
After clicking through several more times and ending up in a gitlab wiki, this
seems to be how it works:

> It comes bundled with a fair amount of commonly used files, and serves them
> locally whenever a site tries to fetch them from a delivery network.

The docs, both on the site that is linked to and on the wiki is __extremely
__bare bones, but the gist of it is that a CDN can track you through the
`referer` header of the request for (say) jquery, since even if the browser
has jquery already cached it will send out a request to check if the resource
might have been modified.

~~~
paulryanrogers
Would a simpler solution be to just drop referrers from CDN requests? It would
probably require fewer updates to the package itself

~~~
surround
Decentraleyes already does this.

> What does it do to protect me when it has no choice but to allow a request?

> Even if a resource is not locally available, Decentraleyes offers improved
> protection by stripping optional headers from intercepted CDN-requests. This
> keeps specific data, such as what page you are on, from reaching delivery
> networks. Whitelisting a domain does not affect this measure.

[https://git.synz.io/Synzvato/decentraleyes/-/wikis/Frequentl...](https://git.synz.io/Synzvato/decentraleyes/-/wikis/Frequently-
Asked-Questions#what-does-it-do-to-protect-me-when-it-has-no-choice-but-to-
allow-a-request)

------
MattSteelblade
I've used Decentraleyes for a while now and it works great. I would actually
like to see it—or more specifically, the idea—integrated into browsers. It
would improve privacy, (potentially) security, and speed at the cost of disk
space.

~~~
scarlac
Was Opera's "Turbo" mode not a similar feature? A feature launched in the
early mobile/late dail-up days. Albeit the proxy CDN was provided by Opera. It
would take proxy JPEGs, compress them more, serve them from an edge node. It
don't think it was marketed as a privacy feature but mostly bandwidth/speed.
But in theory if you trust Opera, you'd get more privacy?

~~~
lucb1e
Given that Mozilla now has a proxy (VPN) service, that could be a nice tie-in
indeed.

~~~
mike_d
You don't want your VPN provider also unwrapping TLS.

~~~
lucb1e
So proxies intercepting your traffic are fine but VPN intercepting your
traffic is not?

Of course, this should be super explicit and opt-in, but Mozilla is in a
position where a lot of people would trust them (you can agree or disagree
whether that trust is misplaced) and if the goal is privacy and/or saving
bandwidth on poor connections, this could be very useful.

------
apt-get
Careful with performance if you're on an underpowered machine, as with all
content injectors, it could provoke frequent freezes if you have a decent to
large amount of tabs open.

[https://git.synz.io/Synzvato/decentraleyes/-/issues/323](https://git.synz.io/Synzvato/decentraleyes/-/issues/323)

------
mikeiz404
I kind of wonder how effective these extensions are for js libraries since
dependencies are often bundled into a single file. I have been using
decentraleyes for a while and when I have spot checked it on occasion it
hasn’t intercepted any requests on the page. I am assuming this is due to
bundling.

From a security standpoint bundling is not an issue as no additional requests
are made but from a speed and performance standpoint I don’t think there is
much extensions like this or browser caching can do. It kind of makes me wish
bundling wasn’t a thing now that we have QUIC/HTTP3 being adopted.

With all that said I am still glad to have this extension around.

------
nyanpasu64
Note that Decentraleyes appears to break some sites due to CSP and SRI issues.
I uninstalled it months/years ago, but forgot which sites broke. The bug
tracker link is at
[https://git.synz.io/Synzvato/decentraleyes/-/issues/16](https://git.synz.io/Synzvato/decentraleyes/-/issues/16)
.

~~~
MattSteelblade
According to their whitelist[1], cdnjs.com, dropbox.com, glowing-bear.org,
minigames.mail.ru, report-uri.io, scotthelme.co.uk, securityheaders.io,
stefansundin.github.io, udacity.com, yadi.sk, and yourvotematters.co.uk are
known to have issues. For as long as I can remeber, you can also whitelist
sites yourself.

[1][https://git.synz.io/Synzvato/decentraleyes/blob/b3931febc234...](https://git.synz.io/Synzvato/decentraleyes/blob/b3931febc2343f73c8262f2f024e325e2ced4d0c/core/interceptor.js#L46)

------
surround
Decentraleyes, HTTPS everywhere, and uBlock Origin are the three set-it-and-
forget-it extensions that everyone should have to improve their privacy.

~~~
mkbkn
Somewhat noob here. Would you suggest LocalCDN instead of Decentraleyes?

------
caiobegotti
The whole maintainers and forks thingy between Decentraleyes and LocalCDN
seems so strange to me that I'm left with more suspicious about which should I
use, if I ever should use any given their both behavior regarding the forks. I
don't feel "safe" to use something so critical privacy-wise in that situation.

EDIT: refs

[https://codeberg.org/nobody/LocalCDN/issues/51](https://codeberg.org/nobody/LocalCDN/issues/51)

[https://gitlab.com/nobody42/localcdn/-/issues/5](https://gitlab.com/nobody42/localcdn/-/issues/5)

[https://git.synz.io/Synzvato/decentraleyes/-/issues/400](https://git.synz.io/Synzvato/decentraleyes/-/issues/400)

~~~
jorams
What's strange about it? Decentraleyes isn't being maintained very actively.
The author of LocalCDN found the pace too slow and forked to update things for
themselves. They are very civil about it.

------
sneak
Another of the million huge enhancements that could be built natively into
browsers if browsers weren’t intentionally stuck in the 90s by
advertising/tracking companies.

I wonder when we’ll see a real browser alternative that includes no-brainer
features like bundling the most common libraries in local forever-cache by SRI
hash.

------
divbzero
To summarize some of the limitations I’ve read in sibling comments:

– Recent trend appears to be bundling resources ( _e.g._ Webpack) instead of
using CDNs.

– This trend is complemented by browsers moving to per-site caches that limit
the benefit of CDNs.

– Content-Security-Policy and/or Subresource Integrity restrictions can break
some websites.

– Only a limited set of resources are included with Decentraleyes.

All that said, this is a really cool idea from both privacy and performance
standpoints. Would love to see ways to address those limitations in the
future.

------
svalto
Decentraleyes breaks sites that use subresource integrity, which is why I
sadly needed to stop using it, until I find time to land a PR.

------
Andrex
Just chiming in to say I think the name is brilliant and perfectly matched to
such a software project.

------
totetsu
I want this on a mobile browser too

~~~
noman-land
If you use mobile Firefox, you can use any extensions you like.

~~~
totetsu
So the banner on the plugin page saying it is for a different version is just
a warning?

------
ilikenwf
I find localcdn to be a better option, it's a fork of Decentraleyes.

Make sure to read the directions, though, to integrate properly with
uBO/uMatrix.

[https://add0n.com/local-cdn.html](https://add0n.com/local-cdn.html)

------
smcleod
I’ve been using this for years and it works a charm, It has my endorsement for
sure.

------
benbristow
Would be nice to see this published to the Microsoft Edge Addons store -
[https://microsoftedge.microsoft.com/addons](https://microsoftedge.microsoft.com/addons)

------
LinuxBender
Does this addon have any security implications when used in combination with
uBlock or NoScript? If the JS is being injected, does that induce any risks of
JS being executed when it should be blocked?

~~~
gorhill
Blocking a resource has precedence over redirecting a resource. If your
blocker blocks a resource, Decentraleyes or any other extension won't be able
to redirect it.

------
buro9
If it is taking third party resources and inlining them then this extension
will be breaking the protections offered by the domain and JavaScript security
model.

------
Altheasy
isn't your browser already caching these resources for you.

~~~
DavideNL
Yes, and no:

[https://git.synz.io/Synzvato/decentraleyes/-/wikis/Frequentl...](https://git.synz.io/Synzvato/decentraleyes/-/wikis/Frequently-
Asked-Questions#my-browser-caches-downloaded-cdn-libraries-doesnt-that-
protect-my-privacy)

