Yeah. To be precise, there isn't any evidence that they record the *text* of such aborted posts, but they certainly record the behavior, and they could easily record the text as well.
This extension injects an iframe on a different origin and does I/O in that (+ some anti-phishing tokens), so I think it should be safe against compromise by Facebook JS. Nadim has said that there's still a danger here, though, so I'll wait for him to detail that attack before pronouncing anything definitive. On Wed, Jan 29, 2014 at 1:26 AM, Jens Christian Hillerup <[email protected]> wrote: > On Tue, Jan 28, 2014 at 10:43 PM, Omar Rizwan <[email protected]> wrote: >> >> Haven't spread it widely yet or made it easy to install, I'm looking >> for feedback both on how well it works (it needs some more testing and >> does have some functionality bugs -- you may be blocked from FB chat >> for a few minutes if it goes wrong!), how easy it is to use, and on >> the general approach. > > > Disclaimer: I haven't read the source, tried the extension or otherwise > gotten to know about this tool other than reading OP. > > The reason I'm writing anyway is that this is important to know generally. > Facebook records the text in text fields even before they're submitted [1]. > Therefore, if this tool relies on Facebook's own text fields (or anything > within the DOM, really), they can completely circumvent this OTR > implementation. The right way to do this would be to spawn something out of > the reach of Facebook JS. That means, spawning a separate chat window in the > context of the extension, or use window.prompt in either context (the > contents of a window.prompt cannot be read before the OK button is pressed). > > JC > > [1] > http://www.slate.com/articles/technology/future_tense/2013/12/facebook_self_censorship_what_happens_to_the_posts_you_don_t_publish.html > > -- > Liberationtech is public & archives are searchable on Google. Violations of > list guidelines will get you moderated: > https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, > change to digest, or change password by emailing moderator at > [email protected]. -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
