views:

38

answers:

3

The new Facebook Javascript SDK can let any website login as a Facebook user and fetch data of a user...

So it will be, www.example.com including some Javascript from Facebook, but as I recall, that script is considered to be of the origin of www.example.com and cannot fetch data from facebook.com, because it is a violation of the "same origin policy". Isn't that correct? If so, how does the script fetch data?

A: 

I think, but am not sure, that they use the iframe method. At least the cross domain receiver and xfbml stuff for canvas apps uses that. Basically the javascript on your page creates an iframe within the facebook.com domain. That iframe then has permission to do whatever it needs with facebook. Communication back with the parent can be done with one of several methods, for example the url hash. But I'm not sure which if any method they use for that part.

Tesserex
It's not the iFrame that does it. See the second quote in my answer. The iFrame would still be restricted from interacting with script on the parent page.
David Stratton
+1  A: 

From here: https://developer.mozilla.org/en/Same_origin_policy_for_JavaScript

The same origin policy prevents a document or script loaded from one origin from getting or setting properties of a document from another origin. This policy dates all the way back to Netscape Navigator 2.0.

and explained slightly differently here: http://docs.sun.com/source/816-6409-10/sec.htm

The same origin policy works as follows: when loading a document from one origin, a script loaded from a different origin cannot get or set specific properties of specific browser and HTML objects in a window or frame (see Table 14.2).

The Facebook script is not attempting to interact with script from your domain or reading DOM objects. It's just going to do its own post to Facebook. It gets yous site name, not by interacting with your page, or script from your site, but because the script itself that is generated when you fill out the form to get the "like" button. I registered a site named "http://www.bogussite.com" and got the code to put on my website. The first think in this code was

iframe src="http://www.facebook.com/plugins/like.php?href=http%3A%2F%2Fwww.bogussite.com&

so the script is clearly getting your site info by hard-coded URL parameters in the link to the iFrame.

Facebook's website is by far not alone in having you use scripts hosted on their servers. There are plenty of other scripts that work this way.. All of the Google APIs, for example, including Google Gears, Google Analytics, etc require you to use a script hosted on their server. Just last week, while I was trying to figure out how to do geolocation for our store finder for a mobile-friendly web app, I found a whole slew of geolocation services that had you use scripts hosted on their servers, rather than copying the script to your server.

David Stratton
hm, I am looking at the `<fb:like>` method... how it can appear on example.com and fetch data from facebook.com. when it is the iframe method, the iframe is of the domain facebook.com, so it can go to facebook.com and fetch any data.
動靜能量
Because it's not violating the rules of the same origin policy. It's not accessing scripts from the main page, and it's not accessing DOM elements on the main page. It is simply performing a post to a page on another server. The same origin policy does not prevent this. (If it DID, there would be no such thing as a CSRF attack). If it was trying to read variable data from a script on your page and pass it to Facebook, or reading from form elements and passing that data to facebook, then there would be a violation.
David Stratton
A: 

If I recall, they use script tag insertion. So when a JS SDK call needs to call out to Facebook, it inserts a <script src="http://graph.facebook.com/whatever?params...&amp;callback=some_function script tag into the current document. Then Facebook returns the data in JSON format as some_function({...}) where the actual data is inside the ... . This results in the function some_function being called in the origin of example.com using data from graph.facebook.com.

Yuliy

related questions