The Mandelbear's Musings

Thanks to this excellent post on EFF's Deeplinks blog, I can now point the few of you who are interested in the details at Jay Goldman's excellent analysis explaining how FB and their Beacon partners accomplish something that would be a cross-site scripting attack if they weren't ganging up on you to do it. It's done without cookies, by the way; the key part is javascript on the original page dynamically constructing an iframe that does the dirty work talks to Facebook.

So, if blocking cookies won't do it, how do you disable Beacon? The answer is in this blog post by Nate Weiner. Finally, here's CA Security Advisor to point out that Facebook gets the information about your third-party activity whether or not you opt out. Goldman's analysis makes that clear as well. Facebook, of course, says that 'If a Facebook user clicks "No, thanks" on the partner site notification, Facebook does not use the data and deletes it from its servers.'

Do you trust them?