Hehe, I don't even use a NoScript plugin myself. I am just arguing that the OP is not simply a tinfoil hat wearing conspiracy theorist, which seems to be a prevailing opinion around here.

And CDNs are not a bad thing in and of themselves. It's just that a CDN for which anybody can make a free, untraceable account in 30 seconds is maybe not the best choice. Edgecast does not appear to have a free option, which is good. The real question is, since GOG already uses Edgecast, why host anything on Cloudfront in the first place?

Anyway, Johny already said that the script being hosted on Cloudfront is a temporary thing, so it's not really productive to argue about it.

But as I said, I have no personal stake in this.

I don't understand what you are saying, that someone could hack Coudfront and tamper with gog's script? Or that Cloudfront isn't reliable to access the right script?

NotScripts was a similiar program made for Chrome but apparently it stopped developing (or?). I found something called ScriptBlock that works the same way but I don't see any Amazon or Cloudnet script when I'm at GOG.com, I can only block GOG.com. That said, with HTTPS Everywhere I can see Cloudfront.net apparently.

The OP is not a tinfoil hat wearing conspiracy theorist because he's concerned about GOG storing scripts on Cloudfront. He's a tinfoil hat wearing conspiracy theorist because of statements like:

"Just because you are fine with having your own information spread all over the internet does not mean everybody else has to conform to your clueless indifference"

"I began harboring suspicion that everybody else inhabited some alternative dimension where monopoly- and control-seeking corporations were doing it for the overall good of society."

Honestly, I sympathised with the OP till he started his holier-than-thou attitude. There is a difference between being concerned with potential security risks and being a douche about it.

EDIT:

As a side note, when the problem is not with the script itself, but with where it is hosted, then there is not really a need to give your thread a title of "stop the data-mining crap". It's unnecessarily belligerent and appears to indicate that the OP does think the script is in a way malicious. And only reinforces the tin foil conspiracy theorist image.

Neither.

I'm saying that because Cloudfront can be used by absolutely anybody to host absolutely anything, it might not be a completely ridiculous thought to block it on principle.

Imagine you're idly browsing the internet. You know, just checking a forum here, a site with funny pics there, a blog, a game review, the usual. On one of these sites, some enterprising individual has discovered a way to embed HTML code directly in the title of a comment (as happened here on the GOG forum). Now, because the title field can only contain a very small number of characters, this unsavoury person is severely limited in how much code he can embed. What he needs is a service where he can place as much code as he likes, and simply link to that in the title field. Cloudfront to the rescue!

If you have Cloudfront blocked, nothing will happen. If not, then as soon as you load the page with the comment, that script is downloaded to your browser and executed. What does it do? No idea, but we'll imagine it's something you don't want.

If you used to have Cloudfront blocked, but were forced to unblock it in order to access your GOG account, and something like this happened, I imagine that you would be a bit miffed with GOG.

Disclaimer:
I am not an expert in internet security, and everything I write here is basically stuff I'm pulling out of my ass.

Ok thank you, now I get it.

Does this script only run if you are using GOG via a browser? Or if you use Galaxy is this concerns over this script moot?

Agreed, but this thread is this thread, and that thread is that thread, and not everybody reading this thread will have read that thread.

Some of the comments here made no reference to anything that had gone before, and just seemed to indicate that there could not possibly be any legitimate concern attached to the fact that GOG made its login procedure dependent on a script hosted on a third party site on which anybody can host anything. All I am trying to say is that yes, there could be legitimate concerns there. Not necessarily the concerns the OP has, but concerns nonetheless.

It would go quite well with those very heavy and gray storms!
Or even those thunderstorms that flash the sky and make it go all purple-ish!

It's just bringing in some angular.

src="https://d3tvtfb6518e3e.cloudfront.net/2/angular-opbeat.min.js"

is the only reference to cloudfront.

They're not. Opbeat (the providers of the offending script) are. Gog is just using the (presumably) recommended source for the script.

I kind of have to agree with the assessment that the OP is possessed of some serious aluminium millinery though.. from the various threads he's created on the topic he clearly has no idea what the script does or why it might be bad. You have articulated the worst case scenario of what might happen by white listing Cloudfront but the OP clearly believes it's an attempt to steal and sell his data...

Even more hilarious is that the purpose of this script is apparently to help Gog find all the weird unreproduceable bugs users get so they can fix them (you know, the thing we all complain about all the time).
I guess it's true that people will always find something to complain about...

Thank you. It's comforting to know this is not a permanent situation.

Doubly appreciate the response - the lack of any reply via e-mail wasn't encouraging.

Since this sums up pretty much all the somewhat reasonable accusations... you are welcome to correct if anything I write below is wrong.

If you connect to Amazon's cloud, for whatever reason, you do so by transmitting your IP address (well, duh) as well as the web page association where the script is used. Depending on the script, there can be additional information used either to initiate some server-side calculations, or used to parse correct version of scrip file, or whatnot. Depending on the client-side implementation, there could be more information sent if it is deemed desired.

The only way to know for certain is to investigate the page that requests the connection, and the code that is transmitted back. In the latter case, should one so desire, it is quite possible to obfuscate undesirable activity to make it extremely hard to detect even by users with professional level of knowledge. I mention this part merely as a theoretical consideration rather than something related to GOG specifically, but since you admire my heavy metal headgear, why not.

The easiest way to avoid any security issues, or unwanted data proliferation among data miners (as a slight aside Facebook just announced they will aggressively track non-users in environments including "apps" - first article I could find on this: http://www.theverge.com/2016/5/27/11795248/facebook-ad-network-non-users-cookies-plug-ins) is to limit exposure to any contact with certain range of servers. For instance, I have all known Facebook IP ranges host-file-loopback blocked.

You are welcome to think whatever you want about my mental state, but if you just do some light reading on the subject you might find a lot of material supporting a very, very tight grip on your data, however indifferent it may initially appear.

Heh, both Google and Facebook (in partnership with Microsoft) are currently investing in private cables across the Atlantic. Both of the companies made their fortune by data mining and selling the results of such efforts.

Call me what you will. If anything, it's amusing, since I still remember the very same reaction in early 2000s to the warnings issued by technical people about U.S. federal agencies being engaged in internet monitoring on a scale nobody else wanted to believe. After Snowden, suddenly that changed to "oh, everybody knew that."

If you don't mind me asking, what do you think would be done with your data?