If you care about user privacy, do NOT use Facebook JS SDK, Hacker News

                          

            Originally posted on                             dev.to                     

        

Social Login buttons like the ubiquitousLogin with Facebook / Google / Twitter /…button is convenient for users as they don’t have to go through a lengthy registration process and create yet another username / password. And without a proper password manager (which probably 99% users don’t use), they tend to reuse the same password which is bad in terms of security!

However behind the scene, some SDKs (I’m looking at you Facebook!) Inject an iframe in your website to display theContinue as {MyName}orLogin with Facebookbutton. Loading this iframe allows Facebook to know that this specific user is currently on your website. Facebook therefore knows about user browsing behavior without user’s explicit consent. If more and more websites adopt Facebook SDK then Facebook would potentially have user’sfull browsing history! And as with “With great power comes great responsibility”, it’s part of our job as developers to protect users privacy even when they don’t ask for.

Loading this iframe allows Facebook to know that this specific user is currently on your website

The iframe is actually injected in a second script loaded by thehttps://connect.facebook.net/en_US/sdk.js:

So what should we do to provide thisLogin with Facebookbutton to our users? The good news is this is actually easy as Facebook implements OAuth2 / OpenID standard so you can use any OAuth2 / OpenID library to add the Facebook login button. You can also add other login providers like Google, Github, Apple… at the same time as those are also OAuth2 / OpenID compliant.

Here are some ressources to implement OAuth2 / OpenID in your app for different languages ​​/ frameworks:

• JS:hello.js,jso,oidc-client-js. oidc-client-js is used to create some OAuth2 / OpenID libraries as listed onhttps://github.com/ IdentityModel / oidc-client-js / wiki
• Python:Requests-OAuthlib,Authlib,Python Social Auth
• NodeJS:PassportJS,openid-client.

If you happen to use Flask (Python), I have written an article on dev.to on how to implement OAuth2 / OpenID into a Flask application:https://dev.to/simplelogin/create-a-flask-application-with-sso-login-f9m

If you really need Facebook SDK, please ask user consent before loading Facebook SDK or only load the SDK when user clicks on theLogin with Facebookbutton.

        

            Written by                             Son Nguyen Kim