When your page uses resources hosted outside your control, you are effectively giving a third-party access to your users. This applies equally to fonts, images from image hosting services, videos from youtube, etc, and especially to Javascript code (including analytics).
At best, you are trading some bandwidth savings for allowing a third-party to analyze your traffic patterns and users in return - maybe that sounds like a good trade to you.
But at worst, your are allowing a third-party (or the people that buy that third-party years from now) to break your site (removing images, etc) at any time, completely outside your control. That is not even considering malicious intent. Google is probably OK right now, but who knows?
1. Tracking is not really effective if the user agent caches the font aggressively.
2. Subresource integrity takes care that at least the file cannot be modified freely without you knowing.
So there is only the case that the file either is there as you expect, or it is not available. Does that leave room for malicious intent?
https://developer.mozilla.org/en-US/docs/Web/Security/Subres...
Subresource integrity is OK, but in this case would have totally broken the site in a different way. If you want to make sure a resource can't change, host it yourself and don't change it.
Subresource integrity is a double edged sword because when a third party updates a resource then your page breaks. Of course you can build fallbacks by loading from your domain in case of errors but then you just doubled engineering effort and have rarely executed code paths in your source.
The other big technical reason to self host Google fonts is wanting your website to load in China. The Google CDN is blocked there, in case anyone here is unaware.
I used to think that same way. I wanted to host everything myself, so I could control, and make sure everything ran the way I wanted. It took me a while -- not sure how long -- to realise no man is an island.
I always wonder how easily "the whole industry" tacitly agreed it's a good thing because of caching. Nowadays nobody sits down and calculates the weights of benefits and disadvantages, most people are just using CDNs because practically everyone else is doing just that.
There was probably a time when it did matter, but I believe (without much evidence) that the benefits of CDNs are less now.
* Hosting on decently fast machines is a lot cheaper.
* Overall bandwidth is increasing
* HTTP2 makes serving up resources cheaper and faster even without other changes. Before a page might request 100 resources and the browser would download them 8 at a time due to having a maximum number of connections to a server.
* Browsers are getting smarter about loading resources in general
* There used to be only a few big Javascript libraries that everyone tended to use (jQuery, etc). So your browser would download them once from the CDN and cache it for multiple sites. These days there are a lot more. Same with fonts. With hundreds of fonts available the chances of your page's fonts being in the cache is small.
The only resources that I think might still be worth offloading to a specialized third-party would be video files, which are still too large to be easily hosted.
This doesn't take the user's connection into account. The user could have a really slow connection (think 3G mobile or worse). Any amount of caching helps tremendously here.
Also, caching and fat pipes are just two benefits of CDNs. They also handle the multi-region issue.
> Also, caching and fat pipes are just two benefits of CDNs. They also handle the multi-region issue.
If you are actually paying a CDN to host your stuff you can expect better service. Here we are talking about using resources from third-parties for "free".
Don't get me wrong, CDNs are very useful for hosting high-traffic sites. And if you are paying them money to host all your resources then you are effectively in control as far as the issue we are talking about in this thread.
My argument is that, for smaller sites, the received wisdom used to be that letting google (or whoever) host myspecalfont.wcf, or bigjavascriptlibrary.js, or whatever in their CDN was a good idea since it made your site load faster. This was certainly true, up to a point, but is less important now, due to the factors I listed.
Whether or not these factors make a difference to you is completely dependent on the details of your site.
Latency is still a factor. For any reasonably popular page with cloudflare in front of it, static files will be at the local edge. Requesting websites hosted in US-West from Europe is ~200ms latency, responses from the cloudflare edge here (London) usually have 20-30ms (TTFB). That can be a big difference, esp if you have spotty reception. If your users are all over the world this becomes even more important.
OK, but we're talking about hosting only a part of the website content on the CDN here. In this case - fonts. We can - and should - use the default font to render the text until the webfont has been completely loaded, using one of the available techniques. Unfortunately, even some high profile websites ignore this issue and block displaying the text until the font is loaded.
Piwik is a drop-in replacement for Google Analytics.
But the problem with all of them is that they rely on Javascript beacons to track visits. With more and more people using ad- and privacy-blockers, more and more visitors just disappear from your stats.
I still keep Awstats on some sites for this reason, and the difference between the Awstats numbers and the Google Analytics or Piwik ones is growing and picking up speed.
But not for just the reasons given in the link.
When your page uses resources hosted outside your control, you are effectively giving a third-party access to your users. This applies equally to fonts, images from image hosting services, videos from youtube, etc, and especially to Javascript code (including analytics).
At best, you are trading some bandwidth savings for allowing a third-party to analyze your traffic patterns and users in return - maybe that sounds like a good trade to you.
But at worst, your are allowing a third-party (or the people that buy that third-party years from now) to break your site (removing images, etc) at any time, completely outside your control. That is not even considering malicious intent. Google is probably OK right now, but who knows?
TL/DR : Host everything yourself