Preventing external sites from accessing Facebook profile

 Mikael Willberg

 20.5.2010 English, Suomi Projects · Hacking Facebook

If user is logged on to Facebook account, any website can use Facebook API to access the user's public data. To deny access to this information Firefox users may define filters to Adblock Plus addon.

Original article on this topic Block Sites from Using Your Facebook Login with Adblock Plus

Understanding the filters

I think people should understand what these rules actually mean before they blindly apply them. Advanced users can read the official documentation.

The article suggests adding the following rules. Note: The original article has some flaws, this is a fixed version.

||facebook.com^$domain=~facebook.com|~facebook.net|~fbcdn.com|~fbcdn.net
||facebook.net^$domain=~facebook.com|~facebook.net|~fbcdn.com|~fbcdn.net
||fbcdn.com^$domain=~facebook.com|~facebook.net|~fbcdn.com|~fbcdn.net
||fbcdn.net^$domain=~facebook.com|~facebook.net|~fbcdn.com|~fbcdn.net

The rules can be translated like this:

||DESTINATIONSITE^$domain=~SOURCESITE

if the request is going to DESTINATIONSITE (including sub-domains) and it is originating from a site that is not SOURCESITE (or it's sub-domain) then access is blocked.

To say this in plain English. Resources from DESTINATIONSITE can be accessed only from SOURCESITE. All other sites are denied access.

If the user wants to allow a site to have access to Facebook information, it can be added to the rules (all of them). Like this:

||facebook.com^$domain=~facebook.com|~facebook.net|~fbcdn.com|~fbcdn.net|~ALLOWEDSITE
||facebook.net^$domain=~facebook.com|~facebook.net|~fbcdn.com|~fbcdn.net|~ALLOWEDSITE
||fbcdn.com^$domain=~facebook.com|~facebook.net|~fbcdn.com|~fbcdn.net|~ALLOWEDSITE
||fbcdn.net^$domain=~facebook.com|~facebook.net|~fbcdn.com|~fbcdn.net|~ALLOWEDSITE

If Facebook starts to use other domains in their service those must be added the rules same way.