To address this inadvertent sharing of UIDs, Facebook plans to start encrypting the parameters that Facebook passes to iframe-based applications. Facebook has posted the technical details of the proposal on their developers site, including a place for discussion and comments.
The proposal builds on Facebook's recent support for a parameter called signed request which is inspired by their discussions in the OAuth community. They will start encrypting this parameter as well, using the application’s secret key, so that only the application will be able to read this information. This will prevent the accidental disclosure of this information via HTTP headers.
Facebook's plan is to enable parameter encryption as an option over the next few weeks and to then work with the community to add support for this option to the various Facebook SDKs. Once the design is finalized, they will work with the developer community to ensure a speedy transition to encrypted parameters.
From Facebook's web site : "While this proposal will address the inadvertent sharing of this information on Facebook, the underlying issue of data sharing via HTTP headers is a Web-wide problem. To address this inadvertent sharing of UIDs, we plan to start encrypting the parameters that we pass to iframe-based applications. We have posted the technical details of the proposal on our developers site, including a place for discussion and comments.
The proposal builds on our recent support for a parameter called signed request which is inspired by our discussions in the OAuth community. We will start encrypting this parameter as well, using the application’s secret key, so that only the application will be able to read this information. This will prevent the accidental disclosure of this information via HTTP headers.
Our plan is to enable parameter encryption as an option over the next few weeks and to then work with the community to add support for this option to the various Facebook SDKs. Once the design is finalized, we will work with our developers to ensure a speedy transition to encrypted parameters.
While this proposal will address the inadvertent sharing of this information on Facebook, the underlying issue of data sharing via HTTP headers is a Web-wide problem. To address this inadvertent sharing of UIDs, we plan to start encrypting the parameters that we pass to iframe-based applications. We have posted the technical details of the proposal on our developers site, including a place for discussion and comments.
The proposal builds on our recent support for a parameter called signed request which is inspired by our discussions in the OAuth community. We will start encrypting this parameter as well, using the application’s secret key, so that only the application will be able to read this information. This will prevent the accidental disclosure of this information via HTTP headers.
The plan is to enable parameter encryption as an option over the next few weeks and to then work with the community to add support for this option to the various Facebook SDKs. Once the design is finalized, Facebook will work with its developers to ensure a speedy transition to encrypted parameters.
While this proposal will address the inadvertent sharing of this information on Facebook, the underlying issue of data sharing via HTTP headers is a Web-wide problem. Facebook will continue to work with the Web standards community and browser vendors over the coming months to help address this issue."
