[detaro]

If security of sensitive information depends on tokens in the URL, don't just give those URLs to a third party, how would that ever be a reasonable thing to do? (especially since the third party apparently hasn't given you any guarantees on how they treat that, otherwise we wouldn't be having this conversation?)

Do your users, your broken software and yourself a favor and don't put Facebook tracking crap everywhere.

[radicalbyte]

That's because our industry is full of hopelessly under qualified people who somehow manage to create software by randomly throwing together bits of code from stackoverflow / books and tweaking it until it "works".

[tpllaha]

That's true. But also trackers (especially big ones) deliberately try to make it as easy as possible to accidentally include them in your page. e.g: the if you use their cdn for fonts/style sheets, if you include a fb like button etc.

A friend of mine covers this more extensively in this blog post which I found a very interesting read: https://remusao.github.io/posts/static-comments.html

So I think it's still concerning that once they're in, they start crawling. Although not very surprising I have to say... That's their business after all.

[radicalbyte]

Yeah, of course they'll try that. They're businesses, they make their money by tracking people. When I inherit a team of project these CDN links are the second thing to get removed / fixed (after their the inevitable unencrypted passwords / homerolled security and homerolled SQL).

[jrimbault]

I feel many "web agencies" don't even have devs (or any technical people), they just sell wordpress installations.

[tzahola]

You mean "hopelessly", right?

[radicalbyte]

Yup, thanks :-)