Thanks for the review, @Eomm! I am a bit baffled though 🤔 May I ask what are the risks that you have in mind? It's not a script or an iframe: just an image tag <img> so only an image can be "injected", and also it is not shown on the page so no risk of changing the image to something offensive or having it break the site. As far as I know including external images should be quite safe. After a quick search I did not find major concerns, but I'm willing to be educated.

You can also see on the original Docusaurus project that they similarly include an image from Netlify.

I am also not convinced of the GPDR conformancy claim. Yes it is true, that not storing personal data is not a GDPR issue. But the issues are more about transferring or relaying the personal information to third party sites without consent.

So if somebody visits fastify.dev, then it is a consentual interaction to process their IP and everything. In the moment we load external third-party resources, we force the visitor to also load the content and forcing to send the ip address to the third-party.

Comparable to google fonts.

@Uzlopak Well, it is true that you have to verify that any resources included in the page are also GDPR-compliant to be GDPR-compliant yourself. You have full access to the LibreCounter code, but I might surreptitiously change it to do mildly evil things like store IP addresses and user agents; not a lot of harm but possible mischief. To counter this, I can give you limited access to the server if you want, so you can audit the running code at any time. In any case I would be breaking the GDPR myself if I did this, and would be liable: I'm located in Spain and so is the server hosting librecounter.org.

You dont store personal information and are gdpr conform. But by embedding the link to the external server which is loaded automatically with the image, we as the site owner need to get the consent of our visitor to send their data to your server.

I actually wonder now if embedding the stars and fork buttons from github is gdpr conform or not.

@Uzlopak That is not how it works AFAIK: you need user consent to send any tracking info to third parties, but this is not what is done here.

The user is sending you their IP address and user agent, they get a webpage and then they instruct the browser to fetch all included images, so they are sending their IP address and user agent to other servers. The user may perfectly well not go to any other servers to fetch outside images. And as long as the third party server is invoked with a legitimate interest, as seen e.g. here, then you should be fine. But I would be happy to be proven wrong.

As another data point, I don't think you are requesting (or actually need) user consent for embedding images from avatars.githubusercontent.com in your home page:

<img src="https://avatars.githubusercontent.com/u/5059100?v=4&amp;s=192" alt="Aras Abbasi's profile picture" width="96" height="96" loading="lazy">

The web would break in a million places if embedding external images was not possible!

Well, maybe we need consider to persist the avatars on our server instance.

Opened #168

That is a weird conclusion, and quite pointlessly hostile in my opinion. In any case I will withdraw my submission since it's not appreciated, let me know if you are interested in my little project at any point.

@alexfernandez

I dont know why you think that my conclusion would be hostile. I personally think your solution is awesome. But the GDPR aspect is for me not that clear, and your input was useful as it forces us to reconsider our gdpr conformancy as a whole.

OK, I understand your point of view better now. Sorry for jumping to conclusions. I would think that self-hosting all images is detrimental for the project and would be a non-optimal outcome of my PR, but if you are going that path regardless, then I will keep the PR on hold until it is resolved, hopefully by (rightfully) determining that external images are OK as long as they are justified.