Non-Local inclusion on Simple.css, tracking

kbeezie · Sun May 03, 2026 9:24 pm

In the head.php line 15 it includes the main theme's style sheet remotely.

<?php echo Theme::css('https://cdn.simplecss.org/simple.min.css', false); ?>

The stylesheet should be included with the theme as to not risk issues when the cdn goes down or gets compromised, and to alleviate privacy/tracking concerns of those who installed the theme without giving consent to have their installation tracked by referral.

Also undisclosed remote asset inclusion is a compliance issue with EU's GDPR laws (as I think the author is based in France).

Thu May 07, 2026 6:20 am

Which theme is it?

kbeezie · Thu May 07, 2026 5:27 pm

Edi wrote: Thu May 07, 2026 6:20 amWhich theme is it?

Simple CSS

https://themes.bludit.com/theme/simple

Sat May 09, 2026 9:42 am

I would write the author of the theme:

https://jboisseur.xyz

or

https://github.com/jboisseur?tab=repositories

You can do it or I can do it as soon as I will be back from my holidays next week.

Perhaps there is a certain reason to use the external stylesheet.

kbeezie · Sun May 10, 2026 1:34 am

Edi wrote: Sat May 09, 2026 9:42 am Perhaps there is a certain reason to use the external stylesheet.

There's no reason that I can see given the content of it, outside of possibly tracking page loads/traffic. At the very least disclose that there is an externally loaded asset that isn't google/boostrap/jquery.

Especially when they're already loading a local style sheet that it could have gone into

Code: Select all

<!-- Include CSS Styles from this theme -->
<?php echo Theme::css('https://cdn.simplecss.org/simple.min.css', false); ?>
<?php echo Theme::css('css/style.css'); ?>

If they change something, it should be changed along with a new release of the theme, rather than risk breaking all the sites that have the theme installed. And if their site is compromised, then so is every site that installed the theme without knowing they are loading an external asset (though everyone should be checking anyways).

I didn't see a contact on github but I do see they have a Indeed. ... but it seems I can't contact thru Indeed without paying a subscription, and I don't see a contact option on github.

zacharielle · Fri May 29, 2026 8:09 am

Hi there!
I'm the author of that theme.
The reasons why the main CSS is available as a link rather than locally are because:

I'm not the original author of Simple.css and I don't want to take credit for work I didn't do
I would prefer that updates on that CSS are pushed automatically since I have not much time allocated for maintenance.

I thought this was clearly stated in the theme name and description (and README.md) but I'm happy to update the theme itself or metadata if you think of a better way of handling this adaptation.
Thanks anyway for reporting!

kbeezie · Tue Jun 02, 2026 3:14 pm

zacharielle wrote: Fri May 29, 2026 8:09 am Hi there!
I'm the author of that theme.
The reasons why the main CSS is available as a link rather than locally are because:

I'm not the original author of Simple.css and I don't want to take credit for work I didn't do

I would prefer that updates on that CSS are pushed automatically since I have not much time allocated for maintenance.

I thought this was clearly stated in the theme name and description (and README.md) but I'm happy to update the theme itself or metadata if you think of a better way of handling this adaptation.
Thanks anyway for reporting!

It's my bad actually, I didn't realize until after the fact that simple.css was akin to say bootstrap.css. Though it was a private domain and of the developers.