What's the standard for safeley and legitimacy for bringing in contacts from other websites? (ie. Facebook, Twitter, Gmail, etc...)

Question

check it out:

http://www.chillitickets.com/CustomerOffer.aspx

Using Facebook as an example: Is the Facebook logo enough for it to be considered legit/safe login or is a full redirect to Facebook required?

I know Facebook is trying to push Facebook Connect, but I'm not sure if they still allow this kind of thing or if it's something they're trying to get rid of.

Any thoughts?

Answer 1

I think OAuth is the current state of the art in cross-domain data sharing.

Answer 2

Using Facebook as an example: Is the Facebook logo enough for it to be considered legit/safe login or is a full redirect to Facebook required?

Definately not. I'm not saying a full Facebook redirect is necessary, but using the Facebook logo only proves you can download an image or use Photoshop, it doesn't prove that the form next to it is not harvesting personal information.

When you say "the standard", I assume you mean "best practice" from the point of view of handling the data? If so, at a bare minimum you need to clearly state (in your site's terms of use or whatever);

• why you need someone's username / password details
• what you intend to do with these details to achieve that
• how you will handle their data once you've finished with it

In an ideal world, at no point should you be storing any of this user information. Use once, then discard.