Recently, I've seen a lot of webpages (external to Facebook) that implement an auto-like script (google "facebook auto like" and you'll see how many of these things there are out there).
It works as follows: you are connected to your facebook account. On another tab (or window) you visit a "malicious" website, that has this script. You don't click on anything related to Facebook, especially nothing that asks for permission. When you go back to your Facebook account, you observe that your profile has liked the page you visited, without your permission.
Is there a way to prevent these script from working? Otherwise, is there a security parameter that would make Facebook to always ask for your password before liking anything outside Facebook? I would even be fine with disabling likes outside Facebook altogether.
For the websites to accomplish auto liking, they need to use a web based programming language like Javascript, before you enter a website that you don't know, try turning off the JavaScript in tools until you can trust that site, a second option if you are using Google Chrome is to download an app that will block Javascript from running without your permission.
Related
I'm building a public installation using an iPad, built as an iOS web app (using the "Add to Home Screen" functionality) which is going to allow users to share content on Facebook.
I'm currently logging the user in to Facebook and getting them to authorize my Facebook app when they click my custom share button. On a successful login, I open Facebook's Feed dialog and allow them to share. Once they have shared (or clicked cancel) I automatically log them out, making sure that the next user that uses the public installation won't be able to share to the previous user's Facebook account.
This all works well, but things get tricky if someone was to hit my custom share button, log in to Facebook and then not allow my app. This would mean that they have logged in, but as they haven't authorized the app, I don't have an access token, and so can't log them out (FB.logout() requires an access token).
Is there a way around this?
Or is there another way that I can log a user out?
Or is there a safe way to allow a user of a public installation (built in HTML) to share on Facebook and be automatically logged out afterwards? Would building a native obj-c app, and using Facebook's iOS SDK help?
The best I can think of is that if the user logs in but doesn't allow the application, they are told that they need to log out, and redirected to Facebook to be able to do this. However this offers them the chance to browse Facebook and (through shared links in their feed) the whole Internet - this isn't acceptable for our installation.
I solved this problem by creating a native iOS app, where the Facebook share link opened in it's own UIWebView. And once the sharing was complete, I deleted all session & cookie information, effectively logging the user out.
I am trying to get Facebook features (like button, and login capabilities) on my website but I am having a tough time figuring out how to do it. I have a Facebook page for my website too, I do not have an app, but from what I've seen I'm supposed to create this App profile through Facebook in order to access all of these features. I am simply confused. I have a website, I have a Facebook page for that website, now I want to link the two. Again, I do not have an app for the site, yet, as it is in its early development stages. Please help me figure out what I must do to link my website to Facebook capabilities
Just "create an application" for the website. I think what you are most confused about is actually building an app.
"Create an application" provides a reference for your application to reside. All Facebook plugins currently must be processed through the JS SDK which needs an application (reference) to make requests. You will see the benefits of doing this when using facebook.com/insights
Also your Facebook fan page has nothing to do with your website, think of it separately, it will cause less confusion. There is no way to link them.
Summary: Just click the "Create app" button, set the domain to your website domain and supply the application id to the JS SDK.
Have you checked out their site? https://developers.facebook.com/
All you need to do after registering with Facebook as a developer, you should have a control panel. After that you should have a dev key, so when you make an API call to Facebook that you can authentic yourself as a registered developer. You do need to enter the javascript file in the head section so that when you call the Facebook API your Javascript code knows to reference the calls.
I've recently installed the browser plugin Disconnect to keep Facebook, Twitter and Google from recording my browser history as I use the regular web while still letting me use those services when I choose to.
Can anyone explain how Disconnect works?
I'm interested in how it works to understand where my web experience might be changed or compromised and as an intellectual curiosity about what these sites are doing and how it can be blocked.
There are detailed descriptions of what our extensions do in the extension galleries (and someday soon, our site), e.g.:
https://chrome.google.com/webstore/detail/jeoacafpbcihiomhlakheieifhpjdfeo
More technically, all our extension code is open source (and well commented and otherwise readable, if I do say so myself):
https://github.com/disconnectme
I'm only guessing, but to track you, google, facebook and twitter send you a cookie to identify you. Then if you browse the web a display page that contain an adsense banner, a g+1 button an analytic script, a facebook/twitter widget, google , facebook and tweeter access this cookie.
So to prevent them to record your browsing, maybe the addon filter the cookie sent in http request or filter google/fb/twitter script/iframe/url from the viewed page.
Hope this could give you a hint.
Regards
I've been trying to get this to work for a while, but I've apparently missed something.
All I want is to have the latest 3 or so posts from my clients Facebook page to populate and animate in a screensaver that I am building using Flash (AS3).
So far, every time I try to bring anything in, it requires a complete oAuth login and account link, but it's only a one way exchange (read-only, absolutely no writing, posting or even linking, since it's a screensaver) I'm not even sure the client wants pictures or anything.
I am currently trying to use the facebook-actionscript-api, but there isn't an option for the "App Login" type of Authentication that would solve most of my problems.
I'm at wits end and about to have to tell my client it can't be done. At least they'll always have twitter...
I don't think it is possible to get facebook feeds without an accesstoken (even if they are public). So I guess you need to define an app within Facebook and add login stuff to your app so users can give permission to your app for basic access.
Maybe this article offers some help: http://www.adobe.com/devnet/facebook/articles/flex_fbgraph_pt1.html
What's better?
Login Button
OAuth Dialog
I like the Login Button because it shows profile pictures of the user's friends who have already signed up for your application and it opens a dialog overlay instead redirecting to a new page as does the OAuth Dialog.
But, I think the OAuth Dialog is newer. Which should we use?
Also, the Login Button is XFBML. Apparently, Facebook is in the process of deprecating FBML. Does that mean XFBML is being deprecated too?
It isn't that one is better than the other - they are intended to accomplish different things.
The login button is used for external websites to allow Facebook-based social elements and community within that site. You can then add other plugins such as comments, the like button or the face pile to further integrate the Facebook social networking aspects, with the login button acting as the authentication mechanism.
The OAuth dialog is specifically for FB apps that run within the Facebook canvas, and allows you to request Graph API permissions from a user which will grant you access to various parts of their profile and additional channels of communication.
While Facebook is deprecating FBML, they are not including XFBML elements that support social plugins, such as the login button. See here for more info.
I think Daniel hit the nail on the head.
I have just started reading up on Facebook Development, and it seems they are providing a great set of tools to do very powerful things, but they aren't particularly explaining which bits do what.
I think you need to be sure of the difference between; a) creating a web app that will leverage the facebook api to enhance its functionality (i.e. using the login button to allow a user to login/create a profile on that website) and b) creating a Facebook app that makes use of the api to simplify development (i.e. authorize and authenticate a facebook user for an app request)
I don't think they have outlined that distinction very well throughout their documentation
The oAuth button is decidedly and absolutely better for a simple reason - it is documented and relatively stable.
The Login Button has nearly no documentation right now ( https://developers.facebook.com/docs/reference/plugins/login/ ), and the behavior has slightly changed several times.
The documentation for the login button is currently limited to how you can :
change the appearance [ width, show faces , rows ]
specify scope
specify a registration-url
For the last several months ( ~Jan - July 2012 ), the documentation has not included anything concerning the flow of information or status -- ie, what actually happens on a successful or failed login.
While there are answers to these questions on StackOverflow , and mentions of other parameters that seem to work when passed in, Facebook does not mention or document any of this functionality at all, so it is essentially use at your own risk. The LoginButton is essentially a black box of mystery, that people just seem to have working thanks to undocumented features, and with functionality that will change/cease on random weekly updates.
tl;dr - stay the f(*& away from the Login Button and just use oAuth