gessel

oops, spoke too soon, definitely back to the same. An odd artifact where the user icon was successfully pulled quickly passed and it no longer does. ??

It seems to be working now. Not sure how, but it fixed itself. Happy New Year!

On my installs (2x) data collection stopped on 5 September. I don’t see any obvious record of an upgrade or change that would have caused it. Everything else seems normal. I, too, would prefer not to delete all and restart.

OMG, it is so, so, so horrible. It is pretty much catastrophically bad. Fortunately you can easily find thousands of hits with the search “wordpress block editor is horrible,” and the vast, vast swell of people who are just flabbergasted by this abomination created a pretty straight forward path to finding a solution. Now just to make the classic editor default and this misery something people need to search to inflict upon themselves. The classic-editors 1M+ downloads speaks volumes about the popularity of the block editor.

Thanks, that was the trick. On FreeBSD:
# cd /usr/ports/lang/php56-extensions/ && make install clean
Does the trick. Use # make config to choose which modules to install.

• This reply was modified 7 years, 2 months ago by gessel. Reason: marking as resolved

Tobias,

Thanks for responding, but no… I really don’t have a clue. I turned on debugging to get a bit more data and… the problem went away, everything loaded as normal. Turning off debugging doesn’t seem to have brought it back. Maybe there was an update going on in the background? Possible, there was one plugin that reported it needed to be updated that had completed on a later check. :/

anyway, thanks for the awesome plugin.

Weird, turned on debugging, reloaded the page, no problem. Very odd… Anyway, NP now.

Ipstenu, thanks – Lightbeam failed me on Gravatar. I turned off Gravatars in the UI and saw the connection still shown in Lightbeam. Testing later, I found it was polling for the favicon that Lightbeam itself was using to display the connection. Oops.

The updates to w.org would be non-threatening to visitors, though consistent with respecting the privacy of WordPress installers, it should be possible (though obviously a security risk) to disable any callbacks through the UI.

That leaves only the one font call, which, ultimately, is a trivial fix and can hopefully be implemented promptly.

I’d suggest that a privacy disclosure be required for the core and all plugins. I’d suggest that a simple administration page enumerate any calls to third parties by the core and any plugins that call third parties (either at all or by third party) and have provisions for disabling them in that view. This would give administrators easy access to the information necessary to protect their own and their visitors privacy and developers some incentive to respect privacy where possible.

Not exactly but I am 100% certain that they model all data available to them. ??

?? Totally agreed – but we can’t ever be certain of what information they do make available or to whom and it seems consistent with company policy to Keep All The Datas.

In the current release, Google’s servers are summoned from two lines:

./wp-includes/script-loader.php:602:            $open_sans_font_url = "//fonts.googleapis.com/css?family=Open+Sans:300italic,400italic,600italic,300,400,600&subset=$subsets";
./wp-includes/js/tinymce/plugins/compat3x/css/dialog.css:1:@import url(//fonts.googleapis.com/css?family=Open+Sans:300italic,400italic,600italic,300,400,600&subset=latin-ext,latin);

The comment above the line in script-loader.php reads…

// Hotlink Open Sans, for now

…implying that the hotlinking call is intended to be a temporary shortcut, perhaps one that can be cleaned up.

In dialog.css, the call is more typical (it seems atypical to define a font in a .php file rather than a .css file, no?).

@import url(//fonts.googleapis.com/css?family=Open+Sans:300italic,400italic,600italic,300,400,600&subset=latin-ext,latin);

/* Generic */
body {
font-family: "Open Sans", sans-serif;
font-size:13px;
background:#fcfcfc;
padding:0;
margin:8px 8px 0 8px;
}

This can easily be cleaned up as:

/* @import url(//fonts.googleapis.com/css?family=Open+Sans:300italic,400italic,600italic,300,400,600&subset=latin-ext,latin); */

/* Generic */
body {
/* font-family: "Open Sans", sans-serif; */
font: "Trebuchet MS",Trebuchet,Verdana,Sans-Serif;
font-size:13px;
background:#fcfcfc;
padding:0;
margin:8px 8px 0 8px;
}

The TinyMCE font definition is easier to deal with as it is thenceforth known as “body” not “Open Sans.” TinyMCE looks just fine testing this fix and from now on I won’t generate Google logs every time I edit a post. Please note I am not claiming aesthetic equivalence for the substitution. If Open Sans is the One True and Right font for this application, then serve it locally (Open Sans off FontSquirrel is Apache Licensed). I personally appreciate Source Sans’ differentiation between 1,l and I; Open Sans renders I and l pretty much undifferentiably. Let’s not tar all things Adobe just because The Steve didn’t like the Flash.

The way Open Sans is used in core wordpress code is slightly less… elegant? It is referenced in 71 places (including 6 references in twentytwelve) including:

./wp-admin/css/dashboard-rtl.css:997:/* Make the browser nags easier to read with Open Sans */

And while I agree it is a fine font, aesthetics and convenience should not trump privacy. Further, while it is one thing to be involuntarily harvested and sold to marketers and data aggregators so a programmer can enjoy the tasty bit of cheese with which the trap was baited, people do use wordpress as a platform to disseminate information and news around repressive regimes, occasionally regimes where Google maintains a locus of business and must therefore comply with national law, laws which may mirror or exceed CALEA and NSLs. As the data aggregated includes the visitor’s IP and the referrer URL, even if the site itself is hosted on protected servers underground in Sweden and run by trusted dissidents with as much to lose as the visitors, a programmatic shortcut to a cosmetic conceit creates a backdoor that could, literally, cost lives.

Unless the visitor hits the login page, and then WordPress generates these font calls

#	Result	Protocol	Host	URL	Body	Caching	Content-Type	Process	Comments	Custom
19	200	HTTP	fonts.googleapis.com	/css?family=Open+Sans%3A300italic%2C400italic%2C600italic%2C300%2C400%2C600&subset=latin%2Clatin-ext&ver=3.9.1	1,672	private, max-age=86400; Expires: Sun, 20 Jul 2014 14:44:07 GMT	text/css	iexplore:9684

and then these

#	Result	Protocol	Host	URL	Body	Caching	Content-Type	Process	Comments	Custom
25	200	HTTP	themes.googleusercontent.com	/static/fonts/opensans/v8/DXI1ORHCpsQm3Vp6mXoaTRa1RVmPjeKy21_GQJaLlJI.woff	38,344	public, max-age=31536000; Expires: Thu, 16 Jul 2015 05:18:34 GMT	font/woff	iexplore:9684
26	200	HTTP	themes.googleusercontent.com	/static/fonts/opensans/v8/MTP_ySUJH_bn48VBG8sNSha1RVmPjeKy21_GQJaLlJI.woff	38,484	public, max-age=31536000; Expires: Thu, 16 Jul 2015 05:18:34 GMT	font/woff	iexplore:9684
27	200	HTTP	themes.googleusercontent.com	/static/fonts/opensans/v8/PRmiXeptR36kaC0GEAetxrsuoFAk0leveMLeqYtnfAY.woff	36,816	public, max-age=31536000; Expires: Wed, 15 Jul 2015 13:49:19 GMT	font/woff	iexplore:9684
28	200	HTTP	themes.googleusercontent.com	/static/fonts/opensans/v8/PRmiXeptR36kaC0GEAetxmWeb5PoA5ztb49yLyUzH1A.woff	36,832	public, max-age=31536000; Expires: Fri, 17 Jul 2015 18:55:32 GMT	font/woff	iexplore:9684

Or if the user is logged in, then the header bar generates the following requests:

#	Result	Protocol	Host	URL	Body	Caching	Content-Type	Process	Comments	Custom
73	200	HTTP	fonts.googleapis.com	/css?family=Open+Sans%3A300italic%2C400italic%2C600italic%2C300%2C400%2C600&subset=latin%2Clatin-ext&ver=3.9.1	1,672	private, max-age=86400; Expires: Sun, 20 Jul 2014 14:45:46 GMT	text/css	iexplore:9684

And the loads these:

#	Result	Protocol	Host	URL	Body	Caching	Content-Type	Process	Comments	Custom
89	200	HTTP	themes.googleusercontent.com	/static/fonts/opensans/v8/PRmiXeptR36kaC0GEAetxrsuoFAk0leveMLeqYtnfAY.woff	36,816	public, max-age=31536000; Expires: Wed, 15 Jul 2015 13:49:19 GMT	font/woff	iexplore:9684
90	200	HTTP	themes.googleusercontent.com	/static/fonts/opensans/v8/DXI1ORHCpsQm3Vp6mXoaTRa1RVmPjeKy21_GQJaLlJI.woff	38,344	public, max-age=31536000; Expires: Thu, 16 Jul 2015 05:18:34 GMT	font/woff	iexplore:9684
91	200	HTTP	themes.googleusercontent.com	/static/fonts/opensans/v8/MTP_ySUJH_bn48VBG8sNSha1RVmPjeKy21_GQJaLlJI.woff	38,484	public, max-age=31536000; Expires: Thu, 16 Jul 2015 05:18:34 GMT	font/woff	iexplore:9684
92	200	HTTP	themes.googleusercontent.com	/static/fonts/opensans/v8/PRmiXeptR36kaC0GEAetxmWeb5PoA5ztb49yLyUzH1A.woff	36,832	public, max-age=31536000; Expires: Fri, 17 Jul 2015 18:55:32 GMT	font/woff	iexplore:9684

Meaning that by visiting a wordpress site (and either logging in or attempting to), a user inadvertently and (typically) unknowingly generates logs on google’s servers that create a record of the visit: IP, time, date, and browser and the referrer ID so that Google has and can (and must) provide on request to any law enforcement agency, and can (and probably does) sell to any advertiser records of every logged in visit or login attempt to any wordpress site.

Obviously Google is selling the font service in exchange for this information. While that might be a fair transaction for some, it seems inappropriate to sell user’s data for convenience without their consent or knowledge. And seriously, is this transgression of user privacy warranted to render these informational pages in something other than the system font?

Line 580: // Hotlink Open Sans, for now

It would be cool if there was an option for locally serving fonts, say by incorporating this script:
https://github.com/DaAwesomeP/php-offline-fonts/

This would achieve all of the compatibility of Google’s user agent checks but wouldn’t leak user data to Google.

It doesn’t solve the problem of closed LAN operation, but perhaps this could be solved with local download and code like this:
@font-face {
font-family: ‘MyWebFont’;
src: url(‘webfont.eot’); /* IE9 Compat Modes */
src: url(‘webfont.eot?#iefix’) format(’embedded-opentype’), /* IE6-IE8 */
url(‘webfont.woff’) format(‘woff’), /* Modern Browsers */
url(‘webfont.ttf’) format(‘truetype’), /* Safari, Android, iOS */
url(‘webfont.svg#svgFontName’) format(‘svg’); /* Legacy iOS */
}

(from https://css-tricks.com/snippets/css/using-font-face/)

The goals being:

1) Eliminate privacy compromising calls to third parties,
2) Transparent operation on a closed LAN.