test, I unexpectedly received a report from a scanner that flagged my site as “High risk”
Posted: 14 Aug 2025, 07:21
Hello,
while working further on my X3 website, I wanted to quickly check whether any cookies were being set at all.
During this test, I unexpectedly received a report from a scanner that flagged my site as “High risk” — not because of cookies, but because several files were being loaded from cdn.jsdelivr.net.
Why this matters for GDPR scanners
jsDelivr has servers worldwide, including in the USA.
Even though these files are just static libraries and don’t set cookies themselves, the request still sends the visitor’s IP address outside the EU.
This is enough for certain privacy and security scanners (e.g. Cookiebot, WebPageTest) to flag the site as risky.
My goal
I’m not trying to “fix” something that’s broken — X3 works perfectly for me and I appreciate the clean setup.
This is simply about avoiding false warnings in such scanners and making the default setup even more GDPR-friendly.
Suggestion / request
Would it be possible to:
Serve these libraries locally with the CMS package, or
Load them only from an EU-based source?
Files currently reported as loaded from jsDelivr:
x3.skin.white.css
anime.min.js
velocity.ui.min.js
fotorama.js
jquery.min.js
string.min.js
nprogress.min.js
kicoesent.min.js
If you could point me to the exact place in the code where these are included, I’d be happy to try a local version myself.
Of course, if you have an official alternative, that would be even better.
In my next post, I’ll attach a WebPageTest screenshot showing the jsDelivr calls, just for reference.
Thanks a lot in advance — and also for all your great work on X3!
while working further on my X3 website, I wanted to quickly check whether any cookies were being set at all.
During this test, I unexpectedly received a report from a scanner that flagged my site as “High risk” — not because of cookies, but because several files were being loaded from cdn.jsdelivr.net.
Why this matters for GDPR scanners
jsDelivr has servers worldwide, including in the USA.
Even though these files are just static libraries and don’t set cookies themselves, the request still sends the visitor’s IP address outside the EU.
This is enough for certain privacy and security scanners (e.g. Cookiebot, WebPageTest) to flag the site as risky.
My goal
I’m not trying to “fix” something that’s broken — X3 works perfectly for me and I appreciate the clean setup.
This is simply about avoiding false warnings in such scanners and making the default setup even more GDPR-friendly.
Suggestion / request
Would it be possible to:
Serve these libraries locally with the CMS package, or
Load them only from an EU-based source?
Files currently reported as loaded from jsDelivr:
x3.skin.white.css
anime.min.js
velocity.ui.min.js
fotorama.js
jquery.min.js
string.min.js
nprogress.min.js
kicoesent.min.js
If you could point me to the exact place in the code where these are included, I’d be happy to try a local version myself.
Of course, if you have an official alternative, that would be even better.
In my next post, I’ll attach a WebPageTest screenshot showing the jsDelivr calls, just for reference.
Thanks a lot in advance — and also for all your great work on X3!
