On Sun, 30 Oct 2011 01:12:51 -0700, Marco Schuster marco@harddisk.is-a-geek.org wrote:
On Sat, Oct 29, 2011 at 4:22 PM, Daniel Friesen lists@nadir-seen-fire.com wrote:
- It doesn't scale very well. If you do try to add more vendors and
users do enable most of them, you still end up loading from each enabled vendor slowing things down.
With the exception of the FB Like/Recommend button, everything (even the FB share link) is just an image paired with a HTML link. Maybe other sites allow embedding their logos, so the only image which needs to be loaded externally is the FB one.
No, both the Twitter and Google +1 share features in that socialshareprivacy are also embeds, not simple images paired with links. In fact while FB has a static share and Twitter has it's static share and intents, being the newest +1 hasn't implemented a static share feature yet. Likely somewhat related to the separation of +1 and G+ which unlike with the others +1ing something doesn't mean you're using G+.
- Frankly the UI is pretty bad.
That's the price you have to pay for total privacy, unfortunately.
No, there are other potential possibilities that don't include a bad ui.
- Once you enable a vendor we drop right back to a 3rd party script
being injected into the page such that it can do malicious things.
Btw, if you're a 3rd party with a script in a page you can go pretty far abusing XHR and history.pushState to make it look to a user like they're browsing the website normally when in reality they're on the same page with the script still running. Oh, and that includes making it look like you're safely visiting the login page when in reality you didn't change pages and the script is still running ready to catch passwords.
Do you have any links with further info on this?
Marco
I don't know of any specific links you can look at, I realized it myself after looking at pushState. It's probably known elsewhere but I figured it out independently so I don't know of any more detailed articles or posts on it off my head.