I was checking up on GOG policies (ToS and privacy policy) while discussing the different digital storefronts with somebody, and ran into an unexpected issue - I can't view the pages where GOG presumably hosts its policies without unblocking a bunch of scripts from third-party sites.

I know damn well that just a while ago they were hosted by GOG and did not require such, so why the change?

Unless I borked something up, which wouldn't surprise me, either. It's late :)

The page utilises Zendesk. You need to allow scripts for zdassets.com to view the page. The page also uses zendesk.com, bootstrapcdn.com and fonts.googleapis.com .

Website designs change over time and may include 3rd party technologies like Hickory mentioned, it can strike at any time. That is one of the downside us users of NoScript, RequestPolicyContinued and similar technologies face is not only mucking around for a few seconds/minutes or longer to get a website to work in the first place, but dealing with various breakages that occur over time as the site evolves or starts using additional off-site subresources. :)

It appears I had allowed 3 or the 4 domains globally that Hickory mentioned so I never noticed any probs. After I see a given site come up on many websites over time I may investigate the subresource target more closely to see if it is better configured as a global whitelisted domain rather than on a domain by domain basis. Things like fonts.googleapis.com for example is a good idea to globally allow as half the web uses it. :)

Ugh. Thanks for the replies, I was hoping it was just something messed up on my end.

Really unhappy with the creep of third parties on GoG. I can understand financial incentives, but from security standpoint they really might want to consider internalizing as much as possible. Too much potential for abuse otherwise, in a number of ways.

For that matter, kind of wonder how it is less expensive for GoG to use US-based generic "support" company (presumably the actual work is done... elsewhere) rather than grow its own team of specialists. Or why not have their own bloody page, on their own server, with what amounts to crucial documentation.

Bah.

jupp, don't use the cloud, it sucks :p

https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/
https://bugs.chromium.org/p/project-zero/issues/detail?id=1139

thankfully GOG only seems to grab a few scripts from the cloudfare CDN, there don't seem to be any sensitive information in the http request

Because that's a really inefficient way to do design.
As far as I understand it they are not sending any information to zendesk, just using their code to build the page, same as they use AngularJS for the game catalogue and pages. In the case of zendesk it just happens to utilise calls to zendesk servers to retrieve css files (mostly from what I can tell from a quick look at it, there may be other things).

Growing your own team of specialists and having them build their own framework is far more expensive and time consuming than using third party pre made set ups, so the reward for doing so would have to be far greater.
Take Galaxy, building their own team and framework is exactly what they are doing there and look how long it is taking to get it to a fully usable release state.

the problem isn't that they use an already existing framework, but that they retrieve the script from a 3rd-party site on every page view.

I get that, but that's the way their system works. It's possible with many systems to locally host a copy of the Javascript, but if it's changed and updated very regularly then that's an extra workload keeping your scripts up to date when you could just link to the sources on the companies own servers / domains.

better security <=> convenience/save an extra workload
pick one ;)

Guaranteeing for your users security for stuff hosted by you is in your own hands. You really want to guarantee for the security of some other site hosting javascript library XY?
Besides it puts a huge target on the site hosting the script. If any attack ever manages to take out googleapis.com then 80% of the net will stop working. Even worse if someone manages to distribute their own code instead from that site.

The internet originally was designed as a system of distributed nodes, trying as much as possible to make it resilient against attacks/failures of a single part. Lately there seems to be the trend to centralize stuff as much as possible, making sure that every failure/screwup will have the maximum impact.

it's also quite a waste of resource when for every site request my browser has to do dozens of additional DNS lookups and establish dozens of additional connections, instead of using the already established connection to the site I want to view.

You're not alone ;-) The change happened with GOG's Support Center overhaul. It's not that they don't have their own support team, but they chose Zendesk as they're new Support platform on the technical side.

I haven't investigated if GOG is using CSP or other security technologies but if they are, that dramatically reduces certain security concerns with 3rd party subresources et al.

True, but it's not a binary either or.

GOG doing this themselves would mean them having to spend extra resources on it. This would mean less resources to spend elsewhere (like trying to get publishers put their games here, or getting games running on modern machines), or having to make up for these extra resources by increasing prices or increasing their cut (again meaning less publishers wanting to put their games here).

So it's always a question of is it better to increase security by x% or having y% less chance of new games appearing or increasing cost by z%.

I'm not saying which is the best route for GOG to take here, since I'm no expert. But it's never possible to have 100% security; there will always be a point when it becomes cost prohibitive. Of course this point would be different for a nuclear reactor and a game shop site which doesn't even store your credit card information.

ADD:
And being no expert on this, I'd be genuinely interested to hear what's the worst a malicious script could do. Take over the account? Since no credit card information is stored, this would simply mean them being able to download my games and me being denied access till GOG sorts it out. Is that right?

Isn't this what they're doing either way?

I doubt that they're (zen) doing this for free or just for shits & giggles ;p

So why not keep it in house & most likely cheaper, where you can also make sure it's more secure than it clearly is when someone else is doing it (& not very well it appears).

As for anyone not liking all of this google/twitter/fb/gleam etc creeping onto the site, which requires having to block things, they can vote with their wallet & not spend anything here until (if ever) things change to how they prefer it to be.

Maybe this overhaulwas really necessary but why has it to be so ugly now? This reminds me of the launch of the 'almighty grey' somehow...

Hehe, right. See my comment from then ;-)