[Bug]: Hidden call to https://fonts.googleapis.com in style.css

[ema7569]

Checklist

• The issue exists after disabling all extensions
• The issue exists on a clean installation of webui
• The issue is caused by an extension, but I believe it is caused by a bug in the webui
• The issue exists in the current version of the webui
• The issue has not been reported before recently
• The issue has been reported before but has not been fixed yet

What happened?

The file style.css contain a call to https://fonts.googleapis.com to retrieve fonts. Do we have a reason to inform google when we launch webui? A non secured browser will send to google the following information about each webui users.

• IP address,
• Referer: 127.0.0.1:7680 (webui local address)
• User Agent (the browser you use)
• The connexion time

Is this really necessary? In security terms that enter in spyware category.
I found also another security hole like that with the file iframeResizer.contentWindow.min.js is downloaded from https://cdnjs.cloudflare.com/ajax/libs/iframe-resizer/4.3.6/iframeResizer.contentWindow.min.js each time webui start
Called by the built in extension canvas-zoom-and-pan

I also found another call to play.google.com, not identified at this time if it come from an extension or from the webui

Steps to reproduce the problem

...

What should have happened?

...

What browsers do you use to access the UI ?

No response

Sysinfo

...

Console logs

...

Additional information

No response

[Woisek]

Ehm ... trolling?

The file style.css contain a call to https://fonts.googleapis.com/ to retrieve fonts. Do we have a reason to inform google when we launch webui?

The reason why "google is informed", is to get the font and not how, why or what it is used for.

A non secured browser will send to google the following information about each webui users.

IP address,
Referer: 127.0.0.1:7680 (webui local address)
User Agent (the browser you use)
The connexion time

Is this really necessary?

Ehm ... yes, because that's how computers interact in a network.

In security terms that enter in spyware category.

Sorry, that is just plain BS. You have obviously absolutely no clue about "security". To this day, not a single person can explain what the problem is when a computer, like millions of others every day, requests a file from another computer.

I found also another security hole like that with the file iframeResizer.contentWindow.min.js is downloaded from https://cdnjs.cloudflare.com/ajax/libs/iframe-resizer/4.3.6/iframeResizer.contentWindow.min.js each time webui start

This is not a "security hole", this is just downloading of recent resources. You can cut this off, but then have to manually update this file when an update requires it.

I also found another call to play.google.com, not identified at this time if it come from an extension or from the webui

Probably the Jehovah's Witnesses who want to monitor what you do with the thing ...

I would suggest you start to learn how computers work, how networks work, how computers communicate in those networks, what "security" means in this context and how web development/programming works.

BTW, did you know, that your OS creates hundreds of connections each day and downloads files from Microsoft ... ?
Is this really necessary? 😑

[pastuh]

I agree that it sounds alarming, even though there are no actual threats.
But..
The application claims to be able to operate in offline mode, but as we can see, it still accesses the internet.
I think changes are needed, even though it is not a critical issue.

Regarding the .js file, I believe it is officially hosted, and there is no immediate threat from external changes.
However, since it's a script that someone could potentially modify at some point, it should either be hosted locally or a popup should be displayed, preventing functions from activating without confirmation.

[neophrema]

Wow, remarkable.
I genuinely do not know if you, Woisek, are trolling:

1. You don't add to the issue, you just insult and belittle someone else. In no circumastance use swear words, instead get a walk and cool down.
2. If you do not care about the Issue, leave it. It's nettique. There are people who care about their Data (and Metadata).
3. I'm pretty sure the Ticket Opener understands that its about getting the font, question is, why does it have to be loaded from google, like there isn't an alternative.
   A huge point of running things locally is, that the five eyes do NOT get informed, in any way. I at least DO care about it and I disabled these stuff locally. Webui does run fine without it.

My honest conclusion is that you have neither read, or understand what the point was, therefor I suggest you let it go. Your passive aggressive way of answering is not helpful here.

p.s. chances are high some people using webui do not use Microsoft for these reasons, think before talking.

[w-e-w]

that has been in the code for some time

stable-diffusion-webui/style.css

Lines 1 to 3 in cf2772f

	/* temporary fix to load default gradio font in frontend instead of backend */
	@import url('https://fonts.googleapis.com/css2?family=Source+Sans+Pro:wght@400;600&display=swap');

and it is intended to fix stuff

read the PR #10324 for reasons

I'm not sure if those codes are still necessary but that's the origin intent

---

note we are in the progress of switching to gradio 4.x see PR #14184
given that these issues are gradio related workarounds, it is possible that issues will be resolved after the switch
and let's hope that the issue might don't get worse 🫠

[Woisek]

I agree that it sounds alarming, even though there are no actual threats. But.. The application claims to be able to operate in offline mode, but as we can see, it still accesses the internet. I think changes are needed, even though it is not a critical issue.

It accesses the internet to stay up to date. If you don't want that, pull the plug of the network cable and it still works. But this doesn't change how all this works.

[Woisek]

Wow, remarkable. I genuinely do not know if you, Woisek, are trolling:

No, but it seems you also don't know about the things and how they work, do you?

1. You don't add to the issue, you just insult and belittle someone else. In no circumastance use swear words, instead get a walk and cool down.

Really? I don't add to a non-existent issue but explain how it works? Wow ... And I want you to quote the exact words of my insulting or the swear words I used.
Careful: If you can't do this, you are obviously lying.

2. If you do not care about the Issue, leave it. It's nettique. There are people who care about their Data (and Metadata).

There is no issue. But feel free to explain about what "high security and secret" data we are talking about here when a computer gets (font) files from another computer. Please enlighten us.
And go!

3. I'm pretty sure the Ticket Opener understands that its about getting the font, question is, why does it have to be loaded from google, like there isn't an alternative.

Because it's convenient? If you don't like it, copy the font files to your computer (careful!! You have to access another computer to do that!) and remove the line in the CSS. Doing all manually is a way, but nothing worth to open an issue report here and falsely taking about security threats or even use words like "spyware".

   A huge point of running things locally is, that the five eyes do NOT get informed, in any way. I at least DO care about it and I disabled these stuff locally. Webui does run fine without it.

So you admit therefor that this "issue" isn't an issue, can be fixed blindfolded, and isn't worth an issue report? Thanks ... so why do you get on my nerves then instead of telling the TO?

My honest conclusion is that you have neither read, or understand what the point was, therefor I suggest you let it go. Your passive aggressive way of answering is not helpful here.

Quite the contrary. The point is, there is no point. In his inexperience, the TO has labeled a perfectly normal technical process as highly dangerous, thereby scaring other inexperienced people to a high degree and unnecessarily. That is simply not acceptable.
THAT is not helpful here. So keep your "suggestion" to yourself.

p.s. chances are high some people using webui do not use Microsoft for these reasons, think before talking.

Oh, of course ... MS has the only OS that sends, receives and reports files to a server, right ... how stupid of me ...
You really shouldn't have written this incompetent text ...

[neophrema]

I'm undecided if I go on with this feud with the troll, or let it go, since it doesn't add to the issue.
Does someone else want to jump in?
How about neither Woisek nor I participate in this issue, then this will be a lot more productive, I think.
Sincerely,

[paboum]

I confirm. Two queries are leaking outside.

These should be cached inside the bundle or the custom font should not be used.

Given the security threat model that includes severe EU anti-AI regulations that will punish with imprisonment for SD usage, this is a serious issue.

[ice-fly]

Given the security threat model that includes severe EU anti-AI regulations that will punish with imprisonment for SD usage, this is a serious issue.

Forgive the dumb American: What regulations? Specifically?
And how is google going to differentiate web developers or children building a website using google fonts on a local server vs someone using automatic1111 webui?

In some sense i think i agree with you, I support you (and all other europeans) going and downloading openwrt onto your router, blocking all web requests to internet tech giants, so that only the chinese manufactured hardware your are running can report your data back to the CCP. Like at what level is the security risk acceptible to you? I'm curious how you learned about AI without using these giant tech companies like google, twitter, and reddit?

OH NO! you posted a bug report about AI on microsoft owned github!!! Now the EU is going to track you down and imprison you since you admitted to using AI!

Reccomend wontfix since bug is existential and beyond scope of this repo.

[paboum]

Threat modelling, as the name suggests, is not about responding to current attacks (which would be illegal and considered criminal conspiracy if such anti-AI laws already existed) but rather about identifying and taking countermeasures against potential attacks. Clearly, some users are afraid of such attacks and there is no meaningful reason why this UI should connect to Google's server at any time. We can run this software on isolated virtual machines, use firewalls and whatnot, or this font could simply be bundled together with the software. There is basically no need for presenting your political or otherwise non-technical views that are not contributing to issue resolution.

[w-e-w]

as of 2f98a35 webui no longer loads fonts form google fonts, insteds download them form https://github.com/AUTOMATIC1111/stable-diffusion-webui-asset on webui install and is served to the webpage frount end provided that you are using the "Default theme"

notice: if this post continues to deteriorate this post will be locked