Closed
Bug 638187
Opened 13 years ago
Closed 13 years ago
Thank You Page Sends Automatic Request to Facebook
Categories
(Websites :: donate.mozilla.org, defect)
Websites
donate.mozilla.org
Tracking
(Not tracked)
VERIFIED
FIXED
People
(Reporter: mcoates, Unassigned)
References
()
Details
(Whiteboard: [infrasec:other][ws:critical])
Issue Loading the thank you page, which is used to generate the users pdf membership card, automatically sends a GET request to Facebook. This is performed before any action is taken by the user. This could be used by facebook to track users that view the Mozilla thank you page. The actual HTTP request is captured below. Recommended Remediation 1. Modify the page to eliminate the initial request to facebook unless the user specifically clicks on the facebook link 2. Review to determine if this in compliance with our privacy policy HTTP Request GET /extern/login_status.php?api_key=198340516862242&app_id=198340516862242&display=hidden&extern=2&locale=en_US&method=auth.status&next=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D0%23cb%3Df28e4d9f64f3bbe%26origin%3Dhttp%253A%252F%252Fwww-stage.mozilla.org%252Ff2fb2bcc09269c%26relation%3Dopener%26transport%3Dpostmessage%26frame%3Dffdd3a40256ab6%26result%3D%2522xxRESULTTOKENxx%2522&no_session=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D0%23cb%3Df320c372d25b9a4%26origin%3Dhttp%253A%252F%252Fwww-stage.mozilla.org%252Ff2fb2bcc09269c%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Dffdd3a40256ab6&no_user=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D0%23cb%3Df38d61ff868045c%26origin%3Dhttp%253A%252F%252Fwww-stage.mozilla.org%252Ff2fb2bcc09269c%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Dffdd3a40256ab6&ok_session=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D0%23cb%3Df232a82e8990298%26origin%3Dhttp%253A%252F%252Fwww-stage.mozilla.org%252Ff2fb2bcc09269c%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Dffdd3a40256ab6&sdk=joey&session_version=3 HTTP/1.1 Host: www.facebook.com User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://www-stage.mozilla.org/join/thankyou.en.html Cookie: wd=1177x490
Reporter | ||
Comment 1•13 years ago
|
||
Copying in Alex and Julie to get privacy and legal input.
Comment 2•13 years ago
|
||
This is definitely something we should look into asap. Off the top of my head, I don't think it complies with our privacy policy. I think we should call BSD asap and ask them to remove this feature. I am adding Ryan and Jane as they have ongoing contacts with BSD, and I'm adding Harvey.
Comment 3•13 years ago
|
||
BSD had nothing to do with the implementation of this feature. It was created by crowd favourite and doesn't touch the BSD landing page. It is generated by code on a Mozilla-hosted page.
Comment 4•13 years ago
|
||
Can you remove it?
Comment 5•13 years ago
|
||
I'm going to copy in crowd favorite and see if the can develop an alternative way to update to Facebook. If they can't, then yes, but I'd like to see if they can come up with an alternative first.
Comment 6•13 years ago
|
||
I don't think the intention was to have this happen automatically without the user's consent. If consent is given, could we make it comply with our privacy policy?
Comment 7•13 years ago
|
||
As we understand it, the get request is the JavaScript API checking on the user's logged-in state so that it can serve the right interface once the Facebook action is fired (the link "Facebook" to run FB.ui). As far as we know, this is expected behavior for all Facebook JS-based plugins.
Comment 8•13 years ago
|
||
After re-reviewing the FB.init (called on page load), we can set "status" to false and "cookie" to false to avoid any fetching: http://developers.facebook.com/docs/reference/javascript/fb.init/ We've tested and confirmed this does not perform the login_status.php request in a development environment: http://cfdev21.com/thankyou.php
Reporter | ||
Comment 9•13 years ago
|
||
(In reply to comment #8) > After re-reviewing the FB.init (called on page load), we can set "status" to > false and "cookie" to false to avoid any fetching: > > http://developers.facebook.com/docs/reference/javascript/fb.init/ > > We've tested and confirmed this does not perform the login_status.php request > in a development environment: > > http://cfdev21.com/thankyou.php I took a look at the dev url and it looks good. No requests are made to facebook unless the user explicitly clicks on the facebook link.
Comment 10•13 years ago
|
||
FYI, I've updated this on staging: http://www-stage.mozilla.org/join/thankyou.en.html
Reporter | ||
Comment 11•13 years ago
|
||
The automatic request issue is fixed. But it looks like the facebook URL may not be quite right. I'll hold off on closing this bug until we are fully happy with the change. When clicking on the facebook URL I get the following error within the facebook page: Invalid Argument Given URL is not allowed by the Application configuration.
Comment 12•13 years ago
|
||
Thanks, Michael. The Facebook app API was still expecting the old dev server URL (cfdev21.com) for testing purposes. Tested OK: https://img.skitch.com/20110303-d5icfg38knnrhxhbaxkk1pjha8.png It's now been switched to point to www-stage.mozilla.org/join/ and is allowed to run on mozilla.org domains. Of course, we will certainly want to double check this functionality before pushing live.
Reporter | ||
Comment 13•13 years ago
|
||
Looks good.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Reporter | ||
Updated•13 years ago
|
Status: RESOLVED → VERIFIED
Updated•12 years ago
|
Group: websites-security
You need to log in
before you can comment on or make changes to this bug.
Description
•