Does This Webhost's Odd Javascript-Explanation Make Sense?

Question

If there are Google-Fonts scripts running on some pages of a website (but not all of them), and a developer in customer service tells me that I am wrong, the website does NOT run any Google Fonts at all; but rather my plugin needs to be reinstalled...

...then I do that, and can still find scripts on different pages than before.

...PLUS I can detect them with a separate plugin (that I didn't mention to them), could they mistaken? Does their explanation make sense, from a programming perspective?

Sorry, here's why I ask:

Essentially, I need to know if I can trust FlokiNet ( https://flokinet.is/ ) as a webhost for developing a fully-privacy-respecting website that journalists can trust to keep their identities private.

I visited their website with NoScript and EFF's Privacy Badger installed.

Both of these tools indicated that there were Google scripts running on their website on some pages. One gstatic (probably Google fonts?) and another Google maps script (only on one page).

I visited their blog, and the same thing. Gstatic scripts. On every page this time (Likely Fonts, I'd guess).

(I have extensive screenshots, if you want to see them.)

I reached out because technically, google fonts sends IP info to Google, according to Bryce Wray (link: https://brycewray.com/posts/2020/08/google-fonts-privacy/ ).

Here's the thread:

THEM:

Hello,

the contact page cotainend an old maps link which was not removed from the source code and has been fixed now.

There is no google fonts usage on our page (we are well aware of the problems with using it), please check your privacy badger / browser as this must be an error.

ME:*
Great. Glad to hear the Google Maps code was an error. That makes me feel much better.

I'll reach out to EFF and see if I can understand why a Google Fonts script is being identified. I'm relieved to hear you are aware of the issues with those.

THEM:

There is no need to reach out to EFF, just reinstall the privacy badger it will solve it.

Here's what I did after this exchange:

First off, he says he totally knows about Google Fonts being a problem.

I reinstalled Privacy Badger, as instructed. Then re-visited the Flokinet page in question.

It appeared to work. No Gstatic script. The Google Maps script was gone as promised, too.

Then I kept clicking around, just on a whim.

I found another set of scripts (screenshots available), and the blog still had tons of them.

NoScript (which I didn't mention) detected the gstatic scripts also, and did so consistently in tandem with Privacy Badger.

I was so confused and frustrated, I just dropped it.

I went back 2 days ago thinking it was an error, and it's still there! (Screenshot available)

The blog is still full of them also.

Does this explanation of theirs make any programming-sense? Are my tools broken, or is it possible he is mistaken?

Answer 1

There are two separate things getting confused here.

The site at https://flokinet.is does not have any google-sourced content, fonts, scripts or anything else. They are missing a few simple things that I'm sure they could fix easily (like a CSP header), but 0 cookies, 0 trackers is a good start.

Quite separately, https://blog.flokinet.is is a WordPress blog on a separate IP (though only 1 address higher), and this does use Google fonts.

It's easy to gather reports on the site , and the blog to let you see the difference, and that they both have privacy and security deficiencies. I'd say the only unforgivable thing (given their "100% Secure" claim on their home page) is that they serve anything at all without TLS.

It's not all bad. They are clearly trying (which is rare in itself), they're just not quite there yet.