Third-party jsdelivr

Every time I go to edit, I have to open things up to permit connections to jsdelivr.net, which I don’t normally allow because they seldom have content I need. Blind calls to third-party CDNs are risky, you should be minimizing that as much as possible. What happens when (not if) jsdelivr gets compromised and starts serving out malicious code to your well-meaning editors? You should grab whatever content you need from them, VET IT, and then serve it out locally via resources that you control instead.

If I caught, say, my bank pulling stunts like that I’d be out of there immediately.

_H*

I believe it’s only used for loading data - our security policy wouldn’t allow any code to be loaded from it.

Specifically it seems to be used for the tagging presets, the name suggestion index and the community index.

2 Likes

uMatrix and Firefox’s network tab confirm: openstreetmap.org/edit only loads from jsdelivr with XHR queries, not code loads:


1 Like