GDPR (EU data protection law) violation due to Google Fonts CDN use

[mspae]

Hello, just a heads up concerning the use of google fonts CDN without user's consent.

This violates the GDPR (General Data Protection Regulation) which is the EU framework law (implemented by member states in national law) concerning data protection. Here is a source https://www.cookieyes.com/documentation/google-fonts-and-gdpr/

Beyond the legal aspect it is a privacy concern that any request to a sveltia backend is potentially tracked by Google which is a privacy concern.

I understand that the Google Fonts CDN is uset to make the "drop-in replacement to decap" aspect work and also allow completely flexible localization.

Therefore my proposal for a solution:

Make this an option in the SiteConfig: google-fonts-cdn (default), system-font (uses the system-ui font family which is widely supported and some other fallbacks), self-hosted (Setting this option enables another configuration property where the font URLs and font-families for use in CSS are specified)

I realize this is probably something for the post-1.0.0 phase but I thought it would be helpful to document this as early as possible all the same.

Cheers!

[kyoshino]

Thanks for the heads-up. We plan to add a setting that allows users to change the UI font to the system font, similar to Bluesky. However, Sveltia CMS also uses Material Symbols icons. We have to include it in our bundle if we want to avoid using Google Fonts.

Sveltia CMS also integrates other services, mostly opt-in, as mentioned in the README. See also: unpkg/unpkg#294

Sveltia CMS itself is not a service but software with no user data collection, so we are probably not in a position to implement a cookie banner or privacy policy. Each developer who implements Sveltia CMS must create one if needed. Currently, in most cases, the developer is the sole user of the CMS. I’m not sure if documentation is even needed.

This would change when we support multi-user scenarios with Editorial Workflow, Open Authoring and a Git Gateway alternative in v2.0 and later.

I’ll revisit this after the 1.0 release.

[Greenheart]

Here are two potential solutions that I use in my projects to avoid this issue:

For fonts and dynamically imported icons (defined by users of Sveltia CMS during runtime) - consider using https://github.com/fontsource/fontsource and install their npm modules to bundle fonts together with the code and completely remove the need for sending requests to Google Fonts. This would also improve the performance for users of Sveltia CMS.

• https://fontsource.org/docs/getting-started/introduction
• https://fontsource.org/docs/getting-started/material-symbols

For statically imported icons (defined in the Sveltia source code) - consider using the Vite plugin unplugin-icons and bundle icons that way. http://github.com/unplugin/unplugin-icons.

Let me know if you want further info and I'd be happy to help :)

---

Until this is implemented, here's a quick way users of @sveltia/cms can solve this in Vite-based projects (e.g. SvelteKit, Astro, Remix etc):

// vite.config.ts
import { defineConfig, type Plugin } from 'vite'

function ensureGDPRCompliantFonts(): Plugin {
  const fontsURLRegex = /fonts\.googleapis\.com\/css2/g
  const replacement = 'fonts.bunny.net/css'
  return {
    name: 'gdpr-compliant-fonts',
    enforce: 'post',
    transform(code) {
      if (fontsURLRegex.test(code)) {
        return code.replaceAll(fontsURLRegex, replacement)
      }
    },
  }
}

export default defineConfig({
  plugins: [ensureGDPRCompliantFonts()],
})

[nocanoa]

I swapped to fonts.bunny.net for all my website, EU based company and committed to GDPR
They are a 1:1 replacement for Google fonts