LocalCDN

Welcome to the LocalCDN Wiki!

LocalCDN is a web browser extension for your Firefox that emulates CDNs (Content Delivery Networks). It intercepts the network traffic between a website and remote CDNs, finds supported resources locally, and injects them into the environment. All of this happens automatically, so no prior configuration is required.

Here are some of the most frequently asked questions:

Supported CDNs and frameworks
Chrome/Chromium Browser
Can I see which frameworks are requested by a website? Can this extension also logging?
Translation
Test the latest changes from the main or develop branch
Rule generator
Broken websites
Requests to include a framework in LocalCDN
Compatibility with other extensions
Dark Mode
Can I check if LocalCDN really works?
LocalCDN is not recommended by Mozilla. Is it safe to use this extension?
LocalCDN and Firefox for Android (Fenix)
I don’t know your name. How can I trust you?
What do you think about Black-Lives-Matter?
Do you have an overview of all donations and expenses?
What about FPI and dFPI?
Does LocalCDN change the fingerprint and make me uniquely identifiable?
Is there a shortcut to open the extension menu?
What are your recommendations for addons or settings?
Enumerating badness vs. enumerating goodness
Stripping metadata
The date of the last update for the rule sets is X months old. Is that normal?

1. Which CDNs and frameworks are supported exactly? Where can I check this?

LocalCDN is Open Source so you can of course check out the code. You can either download the extension manually here (right click and 'Save as..') or you can check the following sections:

CDNs:

CDNs CDNs (Develop branch)
You can find the supported CDNs here:

Frameworks/Libraries:

Frameworks (main branch) Frameworks (develop branch)
You can find the included Frameworks/Libraries here:

2. Can I use this extension in my Chrome Browser?

Yes, it's possible. For publishing you need a Google Account. I don't have one and don't want one 😉 But Emanuel Bennici takes the source code and publish LocalCDN in the Chrome Web Store.

There are some restrictions for Chrome and Chromium based browsers. While both browsers support the WebExtensionsAPI, there are still differences. Chromium unfortunately doesn't support all features of LocalCDN.

Chromium incompatibilities/bugs:

HTML filter
- The HTML filter uses the JavaScript API webRequest.filterResponseData. This API is not supported by Chromium. It was proposed already in 2015. I don't think this will ever work under Chromium.
- Chromium Bugreport | Issue 487422: WebRequest API: allow extensions to read response body
Replace/inject fonts of "Font Awesome" or "Google Material Icons" (*.woff, *.woff2, *.ttf)
- GitLab Issue #67
Chrome does not support to change the color of the badge text. The default color is white.
- Issue #122
- Only one bug report exists for setBadgeTextColor (Mar 13, 2013): Issue 23879: Finalize browser actions API (closed)
- Chromium docs: https://developer.chrome.com/extensions/browserAction
- MDN: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/browserAction/setBadgeTextColor
Lost EventListener after discarding one or more tabs
- If a tab was discarded and later restored, no further requests can be intercepted by LocalCDN. All EventListeners have been removed by Chromium and won't be restored again. (For Firefox, the EventListeners are intact).
- Issue #1084

⚠️ Please note that I try to solve Chromium issues, but my focus is Firefox. Chromium issues have a very low priority. If you have a solution for an issue, Chromium users would be happy if you create a PR.

3. Can I see which frameworks are requested by a website? Can this extension also logging?

Of course, but logging is disabled by default.

3.1. Logging by the extension

Open the extension settings
Click on the Advanced tab
Activate the option Enable logging

3.2. Logging by using the `browser console`

3.2.2. Get logging informations

Open "Browser Console" with CTRL + SHIFT + J or the menu

3.2.3. Enable "Show Content Messages" and use the filter

4. My native language is not fully supported. Some of the content is in English. Can I translate that somewhere?

Yes you can and that would make me and other users very happy. LocalCDN uses the Open Source tool 'Weblate' for this. You can register there and start directly or you can make suggestions (without registration). I will accept them as soon as possible.

5. You recently changed something in the code and I would like to test it. How can I do that?

That would be great.

⚠️ Please use a different user profile (about:profiles) for this, because your previous settings will be deleted when you remove the temporary extension

go to the develop branch and download this repository
unzip downloaded file to any location you want
start Firefox and create a new profile with about:profiles
start the new Firefox profile and open about:debugging
click this Firefox and load temporary add-on...
select manifest.json from the unzipped file

💡 Step-by-step video: temporary-extension-in-firefox.mp4 (localcdn.org)

6. Why do I need this rule generator? I use an adblocker and want to import these rules. How does it work?

Your adblocker must forward the traffic to LocalCDN so that LocalCDN can detect the requests and replace them with local resources.

If you are using an adblocker (uBlock Origin, uMatrix or AdGuard) you can generate some rules in the LocalCDN settings. Please remember that these rules have to be inserted manually into your adblocker.

6.1. Only uBlock Origin

For uBlock Origin the following also applies: These rules are only relevant in "medium" or "hard" mode. They are not necessary in Easy Mode or default settings. For more information, please visit the uBlock Origin Wiki.

Mode	Rules useful	uBlock Wiki
Default/Easy	No	https://github.com/gorhill/uBlock/wiki/Blocking-mode#very-easy-mode-details-
Medium	Yes	https://github.com/gorhill/uBlock/wiki/Blocking-mode:-medium-mode
Hard	Yes	https://github.com/gorhill/uBlock/wiki/Blocking-mode:-hard-mode

Add the rules in the settings of uBlock Origin in the section MyRules and on the right side in the section Temporary rules. Then click Save and Commit. Congratulations, the rules are now permanently applied.

6.2. uBlock Origin / uMatrix

Add the rules in the settings of uMatrix in the section MyRules and on the right side in the section Temporary rules. Then click Save and Commit. Congratulations, the rules are now permanently applied.

Screenshot	Description
	Insert the generated rules under Temporary Rules.
	Click on Save and Commit
	Finish

6.3. AdGuard

The rules are inserted in the AdGuard settings under User rules. Changes are applied immediately.

6.4. NoScript

NoScript doesn't support importing the CDNs. So you have to export, edit and import the settings:

In your exported file you will find a section "sites" and "trusted". By default, domains/CDNs are already included there:

    ...
    
    "sites": {
      "trusted": [
        "§:addons.mozilla.org",
        "§:afx.ms",
        "§:ajax.aspnetcdn.com",
        "§:ajax.googleapis.com",
        "§:bootstrapcdn.com",
        "§:code.jquery.com",
        ...

You can attach the CDNs there. Duplicate entries are automatically removed during import.

7. A website looks weird or cannot be used. If I deactivate LocalCDN, everything works. What is the problem?

There are different reasons for broken websites. LocalCDN tries to replace as many resources as possible. I think it makes no sense to replace jQuery on a website and then contact a CDN for the other 10 resources. It isn't possible to include all resources in all versions (jQuery has 151 different versions on GitHub), because that would take up too much space. That's why we need to find a compromise. The compromise in LocalCDN is replacing jQuery 3.5.0 with 3.5.1. When a web page breaks because of this, it's usually a backwards compatibility issue with the resources. So I would be happy if I get the chance to fix the problem.

Content Security Policy/Same Origin Policy
Crossorigin/integrity attributes in HTML code
Service Worker

7.1. SOP

If you find error messages like this in the console (Ctrl + Shift + K) it looks like a CSP/SOP issue. The website determines from which sources a resource can be loaded. In this case, a resource cannot be loaded from the addon storage. The SOP (Same Origin Policy) is a security feature. A bugreport to detect this errors already exists, but with the lowest priority (Bugzilla #1419459). The only solution: Disable LocalCDN for this website.

7.2. Crossorigin/integrity attributes in HTML code

Some websites include external frameworks and use crossorigin/integrity attributes. Both of these prevent the replacement by LocalCDN. Enable the HTML filter to remove these attributes and allow LocalCDN to replace the framework.

⚠️ Unfortunately, it sometimes happens that special characters are then displayed incorrectly. In this case you can deactivate the HTML filter and/or LocalCDN, to display the umlauts correctly.

7.2.1. Technical details

To understand the problem, it's important to know what character encoding is. The HTML filter reads the HTML source code with TextDecoder and the character set that's either specified in the HTML source code or transmitted by the webserver.

Then it looks for these two attributes and removes them. When everything is done, TextEncoder writes the HTML source back to the tab. That was actually all.

There is a small problem: TextDecoder can read many character sets, but TextEncoder can write UTF-8 only. This will cause errors during the conversion. These conversion errors are caused by the different character sets. The first 128 characters are the same in e.g. ASCII and UTF-8, but after that there are differences that produce these errors.

If a website is written in UTF-8, then there should be no problems with the conversion, because no conversion happens. With the other character sets it depends on which character should be displayed and if these bits mean something different in UTF-8.

7.3. Service Worker

If a website uses a service worker for caching, it can also block the replacement. If you don't need the functions of the service workers (push notifications or offline functionality), you can disable it globally in about:config -> dom.serviceWorkers.enabled = false

💡 I created an online testing program that allows you to test a website for known issues: https://www.localcdn.org/test/check

More information about Service Workers:

8. Requests to include a framework in LocalCDN

Someone asked if I can add a specific framework. First of all, LocalCDN emulates CDNs to improve your online privacy and prevent cross-site profiles about you and your habits. When a website hostes these frameworks itself, then this is okay for privacy. You have no privacy advantages if you exchange the frameworks that are stored locally on the web server. The operator knows you anyway, e.g. Youtube, Twitter, Facebook and Discus. They always knows which page you are currently using.

8.1. Google Fonts

Google Fonts wont be integrated, because this is not necessary to display a web page. If the web page includes Google Fonts and you block them by uBlock, the browser will use the default font instead. Apart from the fact that in my opinion it is not necessary, it is technically not possible to include all Google Fonts. The complete package of all Google Fonts is uncompressed 950 MB (compressed 390 MB in size. Just have a look into this folder. Extensions have a limitation of 200 MB. So you have to check all Google Fonts, which is popular and which should be included and which not. I don't want to do that.

8.2. YouTube/Twitter

YouTube doesn't include any external framework and Twitter is using an own CDN (abs.twimg.com). When you're using one of them only “passive”, you can try “Invidious” or “Nitter”, that's an alternative front-end without 3rd party scripts and CDNs. When you use Youtube/Twitter actively, it doesn't matter if the scripts are loaded locally.

8.3. Google Charts

It's not allowed to use Google Charts "offline":

Can I use charts offline? Your users' computers must have access to https://www.gstatic.com/charts/loader.js in order to use the interactive features of Google Charts. This is because the visualization libraries that your page requires are loaded dynamically before you use them. The code for loading the appropriate library is part of the included script, and is called when you invoke the google.charts.load() method. Our terms of service do not allow you to download the google.charts.load or google.visualization code to use offline.

Can I download and host the chart code locally, or on an intranet? Sorry; our terms of service do not allow you to download and save or host the google.charts.load or google.visualization code. However, if you don't need the interactivity of Google Charts, you can screenshot the charts and use them as you wish.

https://developers.google.com/chart/interactive/faq

This are the reasons why LocalCDN isn't supported now and will not be in future:

Google Fonts
Google Charts
Yandex Metrika
Google Plus One
Twitter
Facebook
Disqus
embedded self-hosted scripts from Youtube, Twitter, ...

8.4. Which frameworks can be added?

Basically all that are freely available and the license terms don't forbid it. The framework must also be useful and necessary for the function of a website.

If the website works fine and the icon is yellow, I would just ignore it. Adding missing frameworks doesn't help.
If a website doesn't work with LocalCDN enabled, then I would first disable the "Block requests for missing resources" option. When the website works with this, it's a missing framework.
If the website doesn't work with it, the automatic framework upgrade could be making a problem.
It's best to briefly explain what is not working on a website. That saves me time searching for it. Depending on the website and language, this can take a long time.

9. I have installed some other extensions. Can I install LocalCDN? Is it compatible?

Normally yes. At the moment I know only HTTPS Everywhere and NoScript.

HTTPS Everywhere

In my opinion the extension is no longer necessary due to various browser and server functions, so I haven't used it for a long time. Because I don't deal with it anymore, I can't answer any questions about it.

If you still want to use HTTPS Everywhere, you can find more information on this topic at Decentraleyes.

In short: LocalCDN always tries to establish secure connections when requests are to be allowed through.

Open HTTPS Everywhere while visiting a website.
Disable all rules within the "Stable Rules" section, except the rule next to "localcdn.org".
Finish

Important: This seems to affect all browsers except Firefox and Firefox based

NoScript

NoScript doesn't support importing the CDNs. So you have two options:

allow the connection manually
export and import settings

The second way: You have to export, edit and re-import your NoScript configuration. In your exported file you will find a section "sites" and "trusted". By default, domains/CDNs are already included there:

    ...
    
    "sites": {
      "trusted": [
        "§:addons.mozilla.org",
        "§:afx.ms",
        "§:ajax.aspnetcdn.com",
        "§:ajax.googleapis.com",
        "§:bootstrapcdn.com",
        "§:code.jquery.com",
        ...

You can attach the CDNs there. Duplicate entries are automatically removed during import.

10. In the screenshots I see the Dark Mode. How can I activate that?

This should happen automatically. If not, you will find the solution here:

Open about:config
Search for "ui.systemUsesDarkTheme"
If available, change the value to 1. If not, then create the entry (Type = Number) and set it to 1
⚠️ Please note that this cannot work together with the setting privacy.resistFingerprinting = true, see #337

11. Can I check if LocalCDN really works?

Yes. An external framework (e.g. jQuery) will not be listed as a network connection if LocalCDN can replace the framework. You will only find external connections there. LocalCDN redirects to a local file, however.

How can I check if LocalCDN really works?

You can see the redirection through the source code. On the web page just right click and select "View Page Source". In the source code you will find e.g. this:

<script src="https://ajax.googleapis.com/ajax/libs/jquery/2.1.4/jquery.min.js"></script>

If you copy this link, paste it into the address line, you will be redirected to the local file. Please do not just click on the link, because this will redirect you to this:

view-source:https://ajax.googleapis.com/ajax/libs/jquery/2.1.4/jquery.min.js

If you open https://ajax.googleapis.com/ajax/libs/jquery/2.1.4/jquery.min.js, you will be forwarded to moz-extension://e129e293-bad9-44d2-ab61-9a5cacb106be/resources/jquery/2.2.4/jquery.min.jsm. The extension ID (e1..be) is random.

Example: https://www.localcdn.org/dl/how_can_i_check_if_localcdn_really_works.mp4

12. LocalCDN is not recommended by Mozilla. Is it safe to use this extension?

I don't know the exact definitions for "Recommended" and how often this will be checked. Definitely not with every update. The badges are also no guarantee that an extension protect your privacy. Do you remember "Web of Trust"? These extension was also recommended by Mozilla for a while. So you can use the badges as a orientation, but it isn't a guarantee.

I wrote Mozilla an e-mail about this a few weeks ago, but they still haven't answered me. Maybe Mozilla is busy at the moment because of less employees, Fenix and the new badges (I already applied for it)

Mozilla has published here some tips about the missing badges. These badges are only available for Firefox. Chromium has no such labels at all.

If you have a question about a certain line of code or a certain section of code, just create a ticket and I will answer the question.

13. Can I use LocalCDN in Firefox for Android (Fenix)?

Yes, because I have already tested it. Unfortunately Mozilla hasn't unlocked all extensions for it. I don't know when this will finally happen. If you are using Firefox Nightly (Mobile), you can create your own collection and include a maximum of 25 extensions. Expanded extension support in Firefox for Android Nightly

Info: The workaround via Collections is supported by

Firefox Nightly (Google Play Store)
Fennec (F-Droid)

You can also use my collection:

Collection owner: 15698979
Collection name: nobody

Content:

Are you missing an extension? Then open an issue and I'll add this extension. Collections currently limited to 25, but Mozilla wants to expand it to 50.

14. I don't know your name. How can I trust you?

The skepticism is good and should always be the case. There aren't many developers who publish more than their name. A good example are Custom ROMs. Many times I see only a name and maybe a country, but nothing more. As a developer you also want to protect your privacy, because something once published on the internet cannot be removed. If you publish your name nobody will check it. So I can write what I want. If you just need a name to trust me, just call me Marc 😉

Privacy is important for me. Mine but also yours. I like it when you report missing frameworks, bugs or suggestions on Codeberg, because I delete emails automatically after 14 days. If you report something to me via email, I have to add it manually on Codeberg. Why do I do that? If a missing framework was reported by e-mail and I want to visit this website a second time, I don't know which website it is after 14 days. Suggestions and bug reports should also be public. You do not have to write long text.

Instead of publishing my name, I do other things that might be important:

no external connections by LocalCDN
internal statistics of LocalCDN disabled by default (will not be transmitted anyway)
small commits to better understand code changes
all commits are signed with GPG
The translation platform is Weblate (Open Source) and translations without registration possible
Codeberg instead of GitHub, GitLab or other platforms that collect and analyze your data
The website (www.localcdn.org) doesn't use cookies, tracking or analysis tools
Server logfiles are automatically deleted after 5 days
Emails are automatically deleted after 14 days
Contact by e-mail with PGP encryption possible
Strong CSP (= Content Security Policy) for extension
- See manifest.json
- More information about CSP can be found here

15. What do you think about Black-Lives-Matter?

People who know me know that I'm absolutely against racism. We are all human. Right now we are alone in this huge universe. Every human being deserves to be respected. No matter what skin color, nationality, gender, religion or anything else. Racism is stupid.

The branch name was changed from Master to Main some time ago. I know that the source code of LocalCDN contains discriminating terms like whitelist and blacklist. I will change these terms to "Allowlist" and "Blocklist". Unfortunately this isn't easy because I used the same terms for the extension storage. I could change this in the next version, but if a user skips exactly this update, it could cause problems. So yes, I will change that, but it takes some time. Issue that containing these changes: #138

No matter if before or after this change: I'm against racism.

Of course I also hate all other stupid things that harm or disadvantage another person (war, terror, violence, etc.)

My message to all racists and all who harm or disadvantage people: 🖕

16. Do you have an overview of all donations and expenses?

Yes, you can find this overview here.

17. What about FPI and dFPI?

FPI (= first party isolation) and dFPI (= dynamic first party isolation) are a very good and useful things to make cross-site tracking more difficult. However, both have no effect on the connection itself and the external server. What happens there cannot be modified by the browser. This is the same reason why you probably use an adblocker, disable Android's Captive Portal Check or use your own DNS server. Unfortunately, you can't completely block this connection to a CDN, because then a website probably won't work. LocalCDN forwards these requests to the local addon storage, so the website will work after all. Of course you can use both technologies. I would always enable (d)FPI and disable LocalCDN only when necessary.

If external connections don't bother you, you should ask yourself if you would install an extension that pings a server for every website or if you would use a Google time server on all your devices. If this ping does not bother you, then LocalCDN is not recommended for you.

A nice little side effect: A CDN delivers resources to multiple websites and is therefore an interesting target. It's possible that a bad guy could inject a manipulated resource into the CDN eco system and compromise multiple websites at the same time. Security researcher RyotaK found a way to compromise the whole Cloudflare CDNJS network in July 2021 (www.bleepingcomputer.com).

This example shows how dangerous external connections can be. You should therefore eliminate any connection that is not necessary. A CDN is not necessary from a technical point of view. The operator of a website can also host the stuff himself. So if you also want to reduce the number of external connections, LocalCDN makes sense.

18. Does LocalCDN change the fingerprint and make me uniquely identifiable?

Some users asked if LocalCDN changes the fingerprint. I have been working on this question for a while. Until now I don't know how to get a different fingerprint through LocalCDN. I don't know any theoretical example and also no PoC.

It would be possible to check the UUID and see how many extensions with web_accessible_resources are installed. The problem: the UUIDs are random with each extension and Firefox profile. A script would therefore have to try all possible combinations and for each UUID found (with web_accessible_resources) test all known extension files contained there. This takes a very very long time because there are a lot of UUID combinations: 16^32 = 340,282,366,920,938,463,463,374,607,431,768,211,456

Yes. In version 2.6.13 there was the combination Ctrl+Shift+L. In newer versions no combination was set by default. Follow these instructions to change or set this shortcut: https://support.mozilla.org/en-US/kb/manage-extension-shortcuts-firefox

20. What are your recommendations for addons or settings?

First of all: It depends on you and your habits!

user.js

Use the good customizability of Firefox and use a user.js. Which settings you set there is also up to you. A good starting point is e.g. www.privacy-handbuch.de (German). Find out the best for your case, test it and use it. You have to understand what each setting does.

uBlock Origin

No idea, but probably other adblockers are also good. I'm very satisfied with uBlock Origin. At the moment I've no reason to change. The medium mode there is really good. I use it on almost all devices. One device even uses hard mode. But it depends on the websites you visit.

Firefox Profiles

Use the possibility to create different profiles in Firefox. To prevent confusion, you can use them with different themes. A temporary profile is sometimes also useful. I've a small bash script that creates such a profile for me. After closing the browser the complete profile folder will be deleted:

#!/bin/bash
PROFILEDIR=`mktemp -p /tmp -d tmp-fx-profile.XXXXXX.d`
/path/to/firefox/firefox -profile $PROFILEDIR -no-remote -new-instance
rm -rf $PROFILEDIR

Are the addons from the collcetion all tested, trusted or recommended?

No. Some of the addons I actually use myself. Others are only in the list because someone else asked if I could add them.

21. Enumerating badness vs. enumerating goodness

Enumerating badness is a bad thing, because there are more bad domains than good domains. You should only allow that which is absolutely necessary. The opposite of enumerating badness is enumerating goodness and means only necessary connections should be allowed, e.g. with uBlock Origin in medium mode. A CDN was useful in the past, but today CDNs are rarely necessary. Low latency or geographical proximity won't be noticed with such small files. Therefore, I think that this connection is not necessary from a technical point of view. The website owners can store the stuff on their own web server. My recommendation: uBlock Origin in Medium Mode and LocalCDN. Activate Block requests for missing resources in the LocalCDN settings.

22. Stripping metadata

The HTTP headers Cookie, Origin and Referer are legitimate header, but mostly they are used in such a way the privacy might be violated. The Referer header in the first place. LocalCDN catches all HTTP headers before submitting them and removes just these three headers. However, some users reported this could be problematic with Google services. In this case you have to disable this feature.

Please note that LocalCDN does not remove these headers from all requests. It only removes the headers from the requests which goes to a CDN like ajax.googleapis.com or cdnjs.cloudflare.com. Some parts could also be configured for Firefox with user.js globally for all domains.

23. The date of the last update for the rule sets is X months old. Is that normal?

Yes, it is. The full path of a resource is not important for the rule sets, only the root domain is important.

Example:

cdnjs.cloudflare.com/ajax/libs/jquery/3.6.0/jquery.min.js
^^^^^^^^^^^^^^^^^^^^
     important
      

cdnjs.cloudflare.com/ajax/libs/jquery/3.6.0/jquery.min.js
                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
                                  unimportant

You can see this also in the generated rules: * cdnjs.cloudflare.com * noop