

Facebook will POST data to apps - ptarjan
http://developers.facebook.com/docs/canvas/post

======
aloneinkyoto
This solution is utterly stupid. Why do they pay their engineers millions of
dollars if they don't even know the basic semantics of the HTTP protocol?

Per RFC 2616, the POST method should be used for any context in which a
request is non-idempotent: that is, it causes a change in server state each
time it is performed, such as submitting a comment to a blog post or voting in
an online poll.

The solution to the security problem is to not pass the authentication data in
the query string which is intended for specifying parameters that vary the
result of the performed query. Instead the authentication data should be
passed as custom HTTP headers. E.g. "X-Fb-Sig-User: 218471".

I am very amazed that this is not common knowledge. This is a 20 years old
protocol that might possibly be the most widely used and implemented high
level communication protocol in human history. Get your shit together people.
Seriously!

edit: I guess I was a bit quick to judge. Didn't realize that the request
originates from an iframe in a browser where you can't easily set custom HTTP
headers. Maybe it is possible to do with some XMLHttpRequest magic, but I
can't think of a solution that would work of the top of my head.

~~~
thezilch
Not to mention application developers -- big or small -- are going to have a
much simpler time changing (or not at all) their applications to receive on
POST kwargs (or REQUEST). You have reason to be dogmatic about HTTP, but this
hardly a cause to lash out against engineers as stupid or over-paid.

------
ericflo
I'm not excited about having to go through all my apps to update them for
this. It's going to be hours of work, followed by weeks of users reporting
subtle bugs that cropped up as a result.

This kind of frequent, sweeping change is the reason why people despise the
Facebook platform.

~~~
timdorr
There's a setting you can flip to turn this on now for testing. It doesn't
affect a lot, just which particular request variables array you need to pull
from. In many languages, you might not even need to make a change on your end.

------
samstokes
Looks like this is a response to the privacy breach reported last month by the
Wall Street Journal:
[http://online.wsj.com/article/SB1000142405270230477280457555...](http://online.wsj.com/article/SB10001424052702304772804575558484075236968.html)
(HN thread <http://news.ycombinator.com/item?id=1801898>)

From that article:

 _It's not clear if developers of many of the apps transmitting Facebook ID
numbers even knew that their apps were doing so. The apps were using a common
Web standard, known as a "referer," which passes on the address of the last
page viewed when a user clicks on a link. On Facebook and other social-
networking sites, referers can expose a user's identity._

From this article:

 _Sadly, all those parameters [identifying the Facebook user etc] go in the
URL [by which your Facebook app is invoked] and if you app includes any other
external resources (iframes, imgs, scripts, etc.) that sensitive data gets
passed along to them in the HTTP Referer header._

