Search…

X3 Photo Gallery Support Forums

Search…
 
User avatar
Unblind
Experienced
Topic Author
Posts: 44
Joined: 05 Nov 2018, 04:28

test, I unexpectedly received a report from a scanner that flagged my site as “High risk”

14 Aug 2025, 07:21

Hello,

while working further on my X3 website, I wanted to quickly check whether any cookies were being set at all.
During this test, I unexpectedly received a report from a scanner that flagged my site as “High risk” — not because of cookies, but because several files were being loaded from cdn.jsdelivr.net.

Why this matters for GDPR scanners

jsDelivr has servers worldwide, including in the USA.

Even though these files are just static libraries and don’t set cookies themselves, the request still sends the visitor’s IP address outside the EU.

This is enough for certain privacy and security scanners (e.g. Cookiebot, WebPageTest) to flag the site as risky.

My goal
I’m not trying to “fix” something that’s broken — X3 works perfectly for me and I appreciate the clean setup.
This is simply about avoiding false warnings in such scanners and making the default setup even more GDPR-friendly.

Suggestion / request
Would it be possible to:

Serve these libraries locally with the CMS package, or

Load them only from an EU-based source?

Files currently reported as loaded from jsDelivr:

x3.skin.white.css

anime.min.js

velocity.ui.min.js

fotorama.js

jquery.min.js

string.min.js

nprogress.min.js

kicoesent.min.js

If you could point me to the exact place in the code where these are included, I’d be happy to try a local version myself.
Of course, if you have an official alternative, that would be even better.

In my next post, I’ll attach a WebPageTest screenshot showing the jsDelivr calls, just for reference.

Thanks a lot in advance — and also for all your great work on X3!
Screenshot of unblind.de _ Chrome...on, United Kingdom - WebPageTest Details.jpg
Screenshot of unblind.de _ Chrome...on, United Kingdom - WebPageTest Details.jpg (239.51 KiB) Viewed 1308 times
liebe Grüße
Unblind
 
User avatar
mjau-mjau
X3 Wizard
Posts: 14469
Joined: 30 Sep 2006, 03:37

Re: test, I unexpectedly received a report from a scanner that flagged my site as “High risk”

15 Aug 2025, 02:56

I haven't heard of GDPR-related issues in context with "high risk", as either your website is compliant or it's not. If you feel like you are not GDPR compliant, you can go to Settings > Advanced > Use CDN, and disable it. All assets will then load from your own host.

You might want to read the below, although they blog post is probably subjective.
https://www.jsdelivr.com/terms/privacy-policy
https://www.jsdelivr.com/blog/how-the-g ... fe-to-use/
 
User avatar
Unblind
Experienced
Topic Author
Posts: 44
Joined: 05 Nov 2018, 04:28

Re: test, I unexpectedly received a report from a scanner that flagged my site as “High risk”

15 Aug 2025, 14:35

It's not about GDPR compliance. That's guaranteed. It's about my website bringing all this stuff from the US to Germany.
That's legitimate, of course, but unnecessary and is classified as risky by testing programs.
I think it would make sense, also logically, if German or European servers were used. Right?
Thanks for the insightful links.
.
I consider the EU's regulatory obsession to be a mental illness of power addicts. This doesn't just apply to the internet, but it's particularly disgusting there.
I've now disabled my website's cookie notification. It's nonsense, because no sensitive data is transferred and no cookies are set.
I've also disabled the CDN. We'll see if I notice anything.

Thank you.
liebe Grüße
Unblind
 
User avatar
mjau-mjau
X3 Wizard
Posts: 14469
Joined: 30 Sep 2006, 03:37

Re: test, I unexpectedly received a report from a scanner that flagged my site as “High risk”

16 Aug 2025, 01:23

Unblind wrote: It's not about GDPR compliance. That's guaranteed. It's about my website bringing all this stuff from the US to Germany.
JSdelivr won't load anything from the US. In fact, the point of JSDelivr and CDN, is to load things as close as possible to the visitors geographical location, which in your case would be Germany. For example, you can open the link below in browser with Dev tools on, click "network" tab, click the request and see in the response headers it's likely served from Frankfurt or another popular server hub in Germany:
https://cdn.jsdelivr.net/npm/x3.photo.g ... /x3.min.js

I'm not claiming the above specifically makes it GDPR safe, but just for your info ...
Unblind wrote: That's legitimate, of course, but unnecessary and is classified as risky by testing programs.
I think it would make sense, also logically, if German or European servers were used. Right?
Yes. As noted, this is exactly how CDN services work, and it's exactly the reason why we use JSDelivr CDN in the first place, because it makes sense logically, and because it will load faster for all visitors. 
Unblind wrote:I consider the EU's regulatory obsession to be a mental illness of power addicts. This doesn't just apply to the internet, but it's particularly disgusting there.
I do agree. The problem is, the laws weren't made to stop small/private websites like yours and mine. It was specifically made to stop big companies from "tracking" users between websites, so the tracked data could be used for marketing, advertising and ultimately commercial gain. For example to stop Google, Facebook or basically and bigger smaller ads companies that are try to take advantage of tracking users. This is why there has never been a ruling against a website that does not purposely attempt to do this. Unfortunately, there were then some bad individuals that started blackmailing private owners, which in turn lead to paranoia.
Unblind wrote:I've now disabled my website's cookie notification. It's nonsense, because no sensitive data is transferred and no cookies are set.
I would do the same! Although I'm not located in Germany, so I'm not under the same laws. As long as you don't use Google Analytics or other external tracking scripts, you would be on safe. Especially now that you have also disabled JSDelivr.
Unblind wrote:I've also disabled the CDN. We'll see if I notice anything.
You might not "notice" anything, as it's just another way of loading scripts for the browser. However, if you opened browser developer tools > Network, you would see that everything is now loaded directly from your own host instead of from JSDelivr.

Image