Finally. The perfect iPad stand. Just Type. One of my favourite platform metaphors.
Apr 22

Mike Hanson, Douglas Crockford, and Facebook; A tale of security, privacy, and performance

Facebook, Tech with tags: Add comments


Facebook announced a lot of bold moves at f8 yesterday. It was exciting to see Bret Taylor (who I had the pleasure to work with at Google) do such a great job on stage, and with the platform. There are many implications that will ripple out from this news, and here are some of my thoughts:

Act One: Security

At JSConf, Doug Crockford came out in his talk, asking to do an ECMAScript 4 to HTML5. Stop it. Block it. Go back to the table and fix the Web security model.

He must have had a giggle when he saw the new Facebook “Like” button. It allows anyone to throw a Facebook like on any page. I quickly put it up on Ajaxian:

<iframe src="<?php echo urlencode(get_permalink()); ?>&amp;layout=standard&amp;show-faces=true&amp;width=450&amp;action=like&amp;colorscheme=dark" scrolling="no" frameborder="0" allowTransparency="true" style="border:none; overflow:hidden; width:450px; height:30px; padding-top:8px"></iframe>

Note how you pass in the href of what you want to like. I am getting the URL for each post and plugging it in. However, you could put any URL in there, as folks quickly discovered. Isn’t it fun to have a like button on content that actually likes some XXX porn. You like innocuous content X, and your wife looks at your stream to see that you are into a dirty movie.

As soon as you iframe in the world of Facebook, the page in question gets the power to get content into your graph and stream. Ouch. Not good.

The UI should at the very least see if it is liking a URL that isn’t the same as the main window.location. If it is exactly the same page, when you hover on “Like” it could say “this exact page”. If it is on the same domain it could say “a page on this site”, and if it isn’t on the domain…. ALERT ALERT ALERT. Since Facebook knows who you are, why not even let me set what I want to do here?

It is also frustrating that I couldn’t easily change the look and feel. Neither “light” or “dark” themes work on Ajaxian for example. I hope that power user features are added, so you can set the colors for various elements without having to go low level and do everything from scratch.

Act Two: Owning My Data

When I look at how we add the “Like” in the browser, we see the code smell of an iframe to an external site. We see this in other forms too, such as script tags pointing to Google to get a Google Map. This feels utterly wrong to me. Instead of a code snippet that points to a particular service, I want to declare what I want to see.

In the case of “like”, let me just say something such as:

<div class="data-like"></div>

Then some JavaScript could come in and augment this to be the iframe, OR the right thing could happen. The browser itself could take over and understand the semantic meaning here.

Imagine if around the Web we had:

<div class="map loc:xxx,yyy"></div>

Rather than the Google Maps, Bing Maps, Yahoo! Maps snippets. If a cool new maps startup came along, I could change my maps provider in my browser, and ALL maps would be shown using the provider of my choice. Much better.

I want to see the same for “Like” and other social data. The browser could then know what services to ping with the like. For example, perform a “like” on Facebook, a retweet on Twitter, and a bookmark. That data could be stored locally, and I am assured that I can always have it.

This leads me to Michael Hanson, principal engineer at Mozilla Labs. Mike and I didn’t even get a chance to really overlap at Mozilla, but I met him before I left. He is a killer engineer, and someone who is going to have a profound effect on the state of identity for us all.

His early work, in alpha-ish stage, is around the notion of contacts in the browser. This add-on is fantastic. Contacts are consumed from Yahoo!, Facebook, Google, etc (a la Palm webOS Synergy) and people are first class citizens (e.g. person:[email protected], person: With type=”email” you can auto complete of your friends. He already uses the new Facebook Graph API which is a dream to use compared to the old REST/FQL. I hope it is more solid too. Anyway, these are just a few of Mike’s features. Firefox is about to get very social.

So, the browser should be the universal like machine. Not Facebook. Not a service owned by a company. You. Your browser. You own your data.

Facebook continues to change your privacy policy, and the EFF just spoke out again: Facebook Further Reduces Your Control Over Personal Information. Some claim that ad companies do this and more already, tying it together sneakily on the backend…. but changing your privacy and making it OPT-OUT is terrible.

Act Three: Performance

Alex Sexton pointed out the performance side of a like button:

From what i can tell, a single facebook like button requires at least 12 unique requests and ~1 second of load time.

The button adds ~161 new http requests to this page on Levis which is ~4sec

Compare the difference in when onload kicks in via iframe compared to via JS.

Time for Steve Souders to do a P3P? :)

Again, if the browser handled the notion of like, we wouldn’t have this issue. Also, what if instead of a million iframes, we all loaded one set of JavaScript from Facebook, and there was a JavaScript function that would let us put the like content into a div. To optimize, we could pass in the set of URLs to ONE JavaScript function and get one set of metadata back. Then we have a function that adds the right HTML to a div. No matter how many like buttons you have. One request.

We could go the OpenLike route, but we don’t want a huge list of buttons and another resource to deal with. Let the browser do it. We don’t need to see a world of this. It is broken. Time to wake up:


Chris Messina has some words on the subject too:

When all likes lead to Facebook, and liking requires a Facebook account, and Facebook gets to hoard all of the metadata and likes around the interactions between people and content, it depletes the ecosystem of potential and chaos — those attributes which make the technology industry so interesting and competitive. It’s one thing for semantic and identity layers to emerge on the web, but it’s something else entirely for the all of the interactions on those layers to be piped through a single provider (and not just because that provider becomes a single point of failure).

I give Facebook credit for launching a compelling product, but it’s dishonest to think that the Facebook Open Graph Protocol benefits anyone more than Facebook — as it exists in its current incarnation, with Facebook accounts as the only valid participants.

As I and others have said before, your identity is too important to be owned by any one company.

2 Responses to “Mike Hanson, Douglas Crockford, and Facebook; A tale of security, privacy, and performance”

  1. Chris Messina Says:

    Interesting times, no?

    A couple of responses:

    I actually think it’s a feature, rather than a bug, that you can put a Like button on your page that points to ANY link. This is no different than so many ShareThis, Post to Buzz, Digg This, and other buttons out in the wild. Furthermore, if, say, I’m running some campaign on a microsite for my beverage VocaVola, I’m going to want you to like the primary URL for my product, NOT the microsite.

    Yes, you can totally deceive users into doing the wrong thing, but in this case I think the benefits to well-intentioned people is FAR greater than the few abusers that might try to game the system (if Facebook gets wind of your evil tactics, they could just block you from hosting the iframe anyway).

    I’m also supportive of adding more social verbs to the browser (big surprise, right?). In fact, the Follow verb in my social agent mockups could serve a similar purpose:

    The problem is reaching critical mass — and beyond that — starting with identity in the browser. Facebook’s Like button only works because most people already have Facebook accounts and are signed in most of the time. For similar functionality to work in the browser (and for the incentive to exist for publishers) you’d need to be able to Like or Follow things that then get sent to a public profile or activity stream (otherwise you’re just bookmarking things locally, and no advertiser or marketer will care about that).

    So until we get identity in the browser, this stuff will continue happening on the server-to-server side.

    Finally, as for performance — I think you need to look at the sheer ease of integration for publishers. You include at minimum an iframe and you’re done. Nothing else to worry about. Couldn’t be simpler, and where you want the Like button, it goes — no need to need with with your HTML head at all.

    When it comes to adding these “social plugins” we really need to think about a novice audience and how much expertise they have. Facebook is powerful because of how simple they make integrating with them — dispensing with complexity and power user features to address the mass market.

    That approach is single-handedly the most dangerous threat to the open web in my mind — since to date, much of the open web’s adherents love the nitty gritty details and power that comes from mastering complexity. Unless we can make our technologies more accessible, Facebook will continue to dominate an ever-increasing audience.

  2. dion Says:


    Thanks for the detailed and thought out comment.

    On the URL deceiving piece, I just think that the component could do more to alert the user. As a power user for example, I would be happy to hover over the like button for a second and get told what URL it is going to hit etc :)

    But, I totally understand that the case that matters isn’t the power user case. We can still do more to help those users too.



Leave a Reply

Spam is a pain, I am sorry to have to do this to you, but can you answer the question below?

Q: What is the number before 3? (just put in the digit)