[Ileca]

"Self-hosting analytics for better privacy and accuracy."

Then why using google fonts which is listed by Disconnect.me (used by Firefox) as a tracking domain? Isn't that paradoxical?

[FiloSottile]

Oh, hey, good point. Let me fix that.

EDIT: Done. Not exactly straightforward to download Google Fonts but there are great helpers around. Got rid of CDNjs as well, since CloudFlare has HTTP/2 now. No 3rd parties left except GA, which will go in a day or two.

[tombrossman]

If you just want to have nicer webfonts without the 'phoning home to Google' issue try Brick webfonts at http://brick.im/.

If the goal is to get rid of all third-party dependencies you can still use the Brick repository on GitHub to download the better looking fonts and self-serve them, just as you are now with the Google served ones.

The only 'gotcha' I found with using Brick is that NoScript users won't see the fonts and won't see the Brick URL in the menu for whitelisting. They will need to inspect the page and learn that they must manually add brick.im. Not exactly user-friendly but then again NoScript breaks lots of things and users are used to it.

[lucb1e]

> Not exactly straightforward to download Google Fonts

Hah, wonder why that is.

[corobo]

It's pretty easy to download them. They're on Github

https://github.com/google/fonts

[ocdtrekkie]

I don't think* embedding Google Fonts allows Google much (any?) data collection beyond, presumably, that the font was requested, though it's definitely an unnecessary dependency.

Given Google Fonts allows you to download all of the fonts, with license info provided, in a variety of formats, there's almost no good reason not to embed them directly in your own site.

Right now, Sandstorm apps will currently work with Google Fonts, but the Sandstorm team intends to sandbox the client side better in the near-ish future, so I've already been nudging Sandstorm apps to make sure not to use such things when I see it.

Note that while the author's blog uses Google Fonts, the Piwik Sandstorm package does not. (I checked.)

*I don't know.

[0942v8653]

Google Fonts does see the page you are on, in the `Referer` header. According to mitmproxy:

    host:              fonts.googleapis.com
    Connection:        keep-alive
    Proxy-Connection:  keep-alive
    Accept:            text/css,*/*;q=0.1
    User-Agent:        Mozilla/5.0 (iPhone; CPU iPhone OS 9_3_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13E238 Safari/601.1
    Accept-Language:   en-us
    Referer:           https://blog.filippo.io/self-host-analytics/
    Accept-Encoding:   gzip, deflate

(I agree with the rest of your comment; the best thing to do is host the fonts yourself.)

[ocdtrekkie]

And it does appear Google just blankets this into it's general API terms of use that they can "use submitted data" in accordance with their general privacy policies. So yeah, I guess they can use it as part of their tracking. :/

[ngrilly]

I share the concern about privacy, but there is a benefit to using Google Fonts: maybe it increases the chance of the font being already cached on the client?

[karussell]

Small side story: I had a 'fun' night where I 'just' wanted to make a self-hosted wordpress also perfect regarding privacy. This was not easy! First I had to install a plugin which does not use google fonts for a certain theme, then I need to disable the default avatar service using another plugin and customization, next I needed to convert youtube and twitter embeds into images with links and so on. It took me several hours.

At that time I thought I was the only one with this requirements ... also a bit strange for an open source project to have such defaults IMO.

[curiousgal]

He probably didn't know that given it's not the most intuitive thing to notice.