Hacker News new | past | comments | ask | show | jobs | submit login

I'm I the only one a little wary of scanning for privacy by logging into Facebook and then injecting someone else's scripting code into the page?

(Edited for the pedantic)




I doubt you're the only one - thats why I made the source code completely open:

http://github.com/mjpizz/reclaimprivacy/blob/master/javascri...

The only compressed stuff is jQuery javascript, all other Javascript is uncompressed and commented. Hope that helps.

[edit: updated line number]


For the source code, I wouldn't include the compressed jQuery if possible. Speed isn't as important here as transparency and it's quite difficult to scan to tell whether there are any issues. I know you don't want to take up a lot of room with jQuery but it really will help increase my ability to recommend to others if all the code is easy to read.

You might also want to put comments on slightly scary things like PARTNER_APPS to be sure people don't believe Yelp are YOUR partners or something crazy like that.

Some of these things sound paranoid, but I'd like people to feel 100% comfortable using your bookmarklet.

It worked great for me and identified some things I missed somewhere. Nice work.


I would use a CDN for the jquery, maybe http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min... - that way, people don't have to make sure you haven't hidden the maliciousness in your version of jquery, which most people might not want to verify.


done. I left the compressed version deployed for now, but the source code is now 100% uncompressed and commented:

http://github.com/mjpizz/reclaimprivacy/blob/master/javascri...

thanks for the feedback, esp about the PARTNER_APPS constant (now called BLOCKABLE_APPS for clarity)


Instead of copying and pasting jquery into your js, you could pull it from google's CDN, that way it would be cached for a lot of people and trustworthy. Well, trustworty-ish. :)


Yes, but the bookmarklet only contains one line of code, which fetches the remainder of the script from your server. So you could possibly replace it at any time with something evil...

Sorry for being paranoid. I very much like your initiative, but people are going to ask questions about these sort of things.


yea, I understand the concern, that is partially why I linked the source to my own github account (adds some accountability) and left everything uncompressed and commented. Unfortunately, it isn't possible to put the entire source into the bookmarklet itself due to browser length-limitations, so the remainder of the code will always need to be loaded separately.


Shame there isn't a way (in HTML) to say "the src of this <script> is at http://.... and it's SHA512 is a5872... or it's signed by GPG key 0x1276e...". That would solve that problem.


How can I tell the code running on the server is same as the code you posted on Github?


for any of the Javascript/HTML/CSS, you can just diff it with the GitHub code to be certain. Also, the backend Python code cannot do anything sketchy with your Facebook data since nothing is done using Facebook's API. And you have my word that I am doing my best to deploy to AppEngine after modifications are made in GitHub. I'm even considering putting up a postcommit hook when I have time.


Yeah that reminds me of recent ismycreditcardstolen.com story. They wanted to warn, they ended up accused of phishing themselves.

Looks like spreading distrust is a double-edged sword (not that I don't share authors pov on Facebook; I do)




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: