Maybe it's because I just skimmed the article, but what about the security implications of this? Doesn't dynamically loading third party ressources and serving them under your own domain open a whole can of worms?
Sure, but this is Google Fonts so if someone comprises that then they have access to many sites on the web.
I will say that this is probably overly complex and it would be easier to just download and serve the font files from your own domain instead. The CSS optimization isn't that necessary and is pretty much the same for all modern browsers.
It's a tricky issue. I think you mean privacy implications,I don't see how this would add security risk.
For privacy,loading third party fonts like google fonts on your site allows the 3rd party(google) to track users. To avoid that,I try to load google fonts from my domain(and for performance when google is slow or unreachable). Arguably,if your site already uses google fonts,putting cloudflare between google and users reduces the amount of tracking users are exposed to. One might also say how privacy conscious site owners should avoid both google and cloudflare.
The user's browser downloads the font off of Google's server, which gives Google their IP address, and the browser also tells Google's server what webpage it's currently visiting, via the HTTP referer.
And given that almost every webpage ships something from Google, Google has an almost complete browsing history for every public IP. There's generally multiple devices behind one public IP, especially for corporate networks or VPNs, so they still have to demultiplex that with further tracking, e.g. Google Analytics, Chrome Sync, Android, but that's rarely a problem either, as even if you're carefully avoiding these, everyone else under your public IP using them would be enough to single you out.
You're forgetting user agent strings as well. On mobile,They tell google the exact device make and model and in case of in-app browsers the specific app and version.
I don't know Google's privacy policy too well and I'm not a lawyer, but I think, this is still kind of uncharted legal territory.
No end user ever gets to see Google's privacy policy before their data is submitted to Google. Not even for Google Analytics, where I am pretty sure that Google does use the data, if the webpage owner isn't paying.
At the same time, Google will point to webpage owners, saying that they need to inform their users (which they do), but if Google wanted to "do the right thing", they would acknowledge that clearly webpage owners don't do that, and that therefore essentially any usage of Google Analytics data happens without user consent.
Under the GDPR, something like this would almost certainly not be legal and Google would be responsible, too, even if they're not the "controller", just the "processor", as the GDPR calls it.
Of course, we'll only know for sure once the lawsuits against Google have gone through.
It's not allowed under the GDPR. But let us get real; this is Google doing it, and anyone complaining about this practice would first need to prove that it happens (which is not easy). You can (and should) expect large American companies to always ignore as many laws as they can get away with.
That's a caricature. In my experience, Google has lots of lawyers that are quite serious about making sure what they do is at least arguably legal, and company procedures to make sure that employees follow the rules. Not that it always works.
I will say that this is probably overly complex and it would be easier to just download and serve the font files from your own domain instead. The CSS optimization isn't that necessary and is pretty much the same for all modern browsers.