[wisniewskit]

Lead dev here. Yes, this is a give-and-take that probably will never be "perfect" for everyone.

Right now a site could disingenuously call the relevant Facebook SDK API to unblock the Facebook resources listed here, and only on that site: https://searchfox.org/mozilla-central/source/browser/extensi...

I'm not too sure why that would be worthwhile as an attack, though. If you have anything in mind that would make it so, please let me know.

In the meantime, I'm working on a way to further tighten this a bit so the unblocking will only happen if a popup is successfully opened (so that at least if the popup blocker kicks in, nothing will happen unless the user intentionally allows that popup). I'm not 100% sure if that will work well, but I hope so.

[cassianoleal]

Thanks for your response! Also thanks very much for your efforts! I've been using Firefox exclusively for quite some time, and it's by far the best browser for me. The focus on privacy and user protections (like this one) has also already helped me convince a few people to switch over.

I think the main attack vector I'd be worried about is if the SDK itself implemented a way around this protection, rendering it relatively useless. If that's not a feasible exploit, then I wouldn't be overly worried about as it would take effort on each website maintainer to implement and maintain the exploit.

The "real popup" detection sounds like a great addition if it works well!

[wisniewskit]

Right. We'll just have to see if and how Facebook reacts, but I would hope they prefer this kind of opt-in to their login buttons simply being broken in strict/private mode on many sites. In fact I think they're already getting sites to use an alternative login method which doesn't have to be blocked in the same way.