Hello,
sorry for the late reply, I was unfortunately busy with other things.
Let me briefly assess the whole thing from a data protection perspective, as scripts and stylesheets from external CDNs such as cdn.jsdelivr.net, cdn.tailwindcss.com, and cdnjs.cloudflare.com are integrated—without the prior consent of users.
Key issues from a data protection perspective:
GDPR violation (Articles 6, 7, 13):
External CDNs usually receive personal data (IP addresses, browser fingerprints, cookies, if applicable). Without consent or an alternative legal basis, this data transfer is not permitted.
ePrivacy Directive:
Loading external resources may set cookies or similar technologies – this requires active consent (opt-in).
Now, of course, one could argue that this only concerns the IP address(es) of the mail server operator, but that might be too short-sighted.
Depending on where the app is hosted, this could lead to problems.
Of course, there are various possible solutions, which I would like to consider here:
Consent management: Obtain user consent before loading external resources (e.g., via cookie banners).
However, the operator must regularly monitor changes in the legal situation and case law. This again requires more maintenance effort than may be necessary.
Transparency: Add information about integrated third-party services to the privacy policy.
- Here, too, the operator must regularly monitor changes in the legal situation and case law. Again, this requires more maintenance than may be necessary.
Local alternatives: Host libraries yourself to avoid data transmission.
- In my opinion, this is the most sensible option, as it eliminates any data transfer to third parties and ensures that scripts and stylesheets are always available.
I take a look at the source code and decide to submit a PR. However, I am not a developer but a data protection and information security consultant, so this may take some time.
In principle, it is these lines in index.html that would have to be converted to local assets:
<script src="https://cdn.tailwindcss.com"></script>
<script src="https://cdn.jsdelivr.net/npm/marked/marked.min.js"></script>
<script src="https://cdn.jsdelivr.net/npm/chart.js@4.4.0/dist/chart.umd.min.js"></script>
<link rel="stylesheet"
href="https://cdnjs.cloudflare.com/ajax/libs/github-markdown-css/5.5.1/github-markdown.min.css">
<script>
I hope I have been able to clarify the situation and illustrate my thoughts accordingly.