On Sat, 29 Oct 2011 06:17:43 -0700, Marco Schuster <[email protected]> wrote:
> Hi, > > On Sun, Oct 23, 2011 at 7:03 PM, Roan Kattouw <[email protected]> > wrote: >> This is the reason why we absolutely cannot have the >> Facebook Like button: Facebook makes you use an FB-hosted button image >> (and JS too, I think), collects data from every user that views the >> Like button even if they don't click it (this is the part that >> violates the privacy policy), and disallows self-hosting. > > German IT news site heise.de solved the privacy and load-time problem: > http://www.heise.de/extras/socialshareprivacy/ > > Unfortunately it's in German, but the code is easy to understand. > > Marco That's not really all that much of a solution: - Right now it's pretty stuck in 3 vendors - It doesn't scale very well. If you do try to add more vendors and users do enable most of them, you still end up loading from each enabled vendor slowing things down. - Frankly the UI is pretty bad. - Likely due to FB's terms the FB icon isn't actually the FB icon until you enable it. So there's even a chance that a user won't even know they 'can' share on FB because the FB button doesn't look like a FB button. - Once you enable a vendor we drop right back to a 3rd party script being injected into the page such that it can do malicious things. Btw, if you're a 3rd party with a script in a page you can go pretty far abusing XHR and history.pushState to make it look to a user like they're browsing the website normally when in reality they're on the same page with the script still running. Oh, and that includes making it look like you're safely visiting the login page when in reality you didn't change pages and the script is still running ready to catch passwords. -- ~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://daniel.friesen.name] _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
