Is it possible to use Ghost without loading any third party services? This includes JSDELIVR. We do not want to load a CDN. Privacy Badger by the Electronic Frontier Foundation flags JSDELIVR as a potential tracker on our site even though we disabled memebership signups, the portal and we deleted all code in our theme that is related to search functionality.
We are self-hosting Ghost and we use a modified version of the journal theme. Until recently it was possible to use Ghost without loading any external sources. As mentioned in the beginning, we disabled the signup portal and we have no code in our theme that relates to search functionality. In consequence we expected no CDN would be injected. This was not the case. But in Ghost version 5.4.0 it was still possible to disable UNPKG CDN by deleting these lines in the configuration file (versions/5.4.0/core/shared/config/defaults.json):
"sodoSearch": {
"url": "https://unpkg.com/@tryghost/sodo-search@~1.0.0/umd/sodo-search.min.js",
"version": "1.0.0"
},
Since Ghost version 5.5.0 UNPKG has been replaced with JSDELIVR. We tried to proceed the same way and we removed sodoSearch from the configuration file (versions/5.7.0/core/shared/config/defaults.json):
"sodoSearch": {
"url": "https://cdn.jsdelivr.net/npm/@tryghost/sodo-search@~{version}/umd/sodo-search.min.js",
"styles": "https://cdn.jsdelivr.net/npm/@tryghost/sodo-search@~{version}/umd/main.css",
"version": "1.1"
},
However doing so did break our Ghost installation. I.e.: code injection in the site header stopped to work.
This indicates to us that JSDELIVR is not only used for Membership features and search functionality (as indicated in the privacy declaration of ghost: Ghost/PRIVACY.md at main · TryGhost/Ghost · GitHub), but that other important features of a ghost installation now rely on JSDELIVR as well.
For the time being we downgraded our Ghost installations to version 5.4.0. For us and for some of our customers it is not an option to use a CDN that gets flagged by the EFF as a potential tracker. We do have customers who don’t want to use extternal sources at all and who require us to host all fonts, scripts, libraries, etc. locally.
We would very much like to keep using Ghost because we think it is great software! Is there any way to use Ghost without loading JSDELIVR and without breaking core functionality like code injection?