1. 21

  2. 14

    Is this news? I’d suggest you could remove “JS SDK” from the title.

    EDIT: I was being a bit sarcastic about Facebook in general and do not mean to slur the author or article content itself.

    1. 5

      It seems a useful particular piece of information that using Facebook SDK for OAuth login via Facebook leaks more information than using third-party OAuth libraries for OAuth login via Facebook.

      That’s what I think this article is saying, although I can’t say I’m sure of the details; in particular, how much more information does this iframe give Facebook compared to the plain OAuth flow?

      1. 3

        You’re guessing it right, that’s one of the takeaways from the article. Using iframe allows facebook to know at least the website you are on (the parent website) and informations about your browser, ip, etc. They could also in theory get the content you’re seeing on the parent website too but I doubt they can exploit it.

        1. 3

          And when I use some other library to implement “login with facebook”, don’t they also know the parent website?

          1. 3

            That depends on how the library is implemented actually. For facebook, I recommend using an oauth2 library with the code flow. This is a backend integration so no iframe is involved. If you happen to use Flask (python), I also wrote an article on this topic https://dev.to/simplelogin/create-a-flask-application-with-sso-login-f9m

      2. 2

        I don’t see this information mentioned in Facebook SDK or elsewhere so decided to write this post. Facebook is still used by a lot of my friends and family so removing it completely it not feasible for me for now …

        1. 4

          Try a sabbatical. You might be surprised how little it actually provides for those bonds.

          1. 1

            But what about WhatsApp and Instagram? WhatsApp in particular is pretty important for me to connect to people all across the world. Signal just doesn’t have the same market share…

            1. 3

              Have you tried suggesting signal to your friends?

        2. 2

          or “Facebook” and “SDK”

        3. 2

          I think it is a good message, but if you care about user privacy, the first thing you should be doing is removing all forms of closed source analytics tools and advertisements from your site.

          1. 1

            I removed their widgets recently from my website. You have no idea what’s in those big blobs of Javascript they ship to your readers. They could be watching their scroll and click patterns. You basically let them collect all the free data they want.