| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by rmc 5263 days ago

The webpage doesn't send IP address, your browser contacts facebook for the icon and hence sends IP address and cookies to facebook, in the same way that image hotlinking would work.

Remember it's not just IP address, but could be cookies. Facebook can set a cookie that will be stored in your browser and will be sent to facebook each time. So if your laptop moves around, then the facebook cookie follows you.

Since this is at the browser level there are browser extensions that will block this for you if you want.

2 comments

mike-cardwell 5263 days ago

The cookie issue doesn't exist for Safari users as it disables third party cookies by default. I don't know why all browsers don't do this. I've been disabling third party cookies in my browser for years and have never come across a website that it breaks. And if Apple can do it without people complaining, I'm sure Mozilla/Microsoft can too.

I prevent the IP address leak by using the Firefox addon RequestPolicy to block cross-origin requests.

link

jarcoal 5262 days ago

I could be mistaken, but that feature only applies to the creation of cookies by third parties.

If you visit facebook.com, a cookie will be set, then later when you visit another site with a facebook widget, it WILL send that cookie that was set earlier when it wasn't 3rd party.

link

astrodust 5263 days ago

You can also just null out www.facebook.com in your hosts file and be done with it.

link

jonknee 5263 days ago

The widgets aren't served by WWW. Try something like to block everything:

  # Block Facebook
  127.0.0.1 www.facebook.com
  127.0.0.1 facebook.com
  127.0.0.1 login.facebook.com
  127.0.0.1 www.login.facebook.com
  127.0.0.1 fbcdn.net
  127.0.0.1 www.fbcdn.net
  127.0.0.1 fbcdn.com
  127.0.0.1 www.fbcdn.com
  127.0.0.1 static.ak.fbcdn.net
  127.0.0.1 static.ak.connect.facebook.com
  127.0.0.1 connect.facebook.net
  127.0.0.1 connect.facebook.com
  127.0.0.1 www.connect.facebook.net
  127.0.0.1 apps.facebook.com

You can also block the widgets without the site (I log in from time to time but haven't seen a widget in a very long time). These days the like buttons are served from connect.facebook.net I believe.

link