Reputation: 31972
How does Facebook prevent triggering automatic clicks on Like buttons?
The way I see it, every user event that is relayed to the browser can also be raised programmatically. You can trigger click, mouseover, or really, pretty much anything sane:
document.getElementById('mylink').click();
document.getElementById('mylink').dispatchEvent('mouseover');
I know that most social networks - Facebook included - serve their cookie-dispensers social plugins through within iframe elements that are placed via JavaScript. But what's stopping anyone from triggering an event into that iFrame?
document.getElementById('myframe').contentDocument.getElementById('likebtn').click();
I've found multiple articles that suggest an approach by intercepting clicks (that is, when you click anywhere on the page, you actually click the like button), but none of them detail or examine a way where the click is raised programmatically.
- http://geekhmer.github.io/blog/2013/10/02/facebook-fan-page-auto-like/
- http://www.makingdifferent.com/automatically-increase-facebook-fans-using-javascript/
If there is a defense mechanism in place that prevents artifical click events from actually registering on elements, what's stopping anyone from modifying the frame contents with a script, or by relaying through a webserver (though the latter might be complicated due to separate authentication and HTTPS)?
Disclaimer: I do not - in any way - seek for a concrete solution that accomplishes this task. I understand and fully support that this - as well as click intercepting - would be a rude, forcing, and horrible behaviour even for Voldemort to pull off. It is one's last mortyfing and pathetic attempt at gaining more publicity before failing mercillesly. I'm merely interested in the behind-the-curtain workings.
Upvotes: 0
Views: 133
Answers (2)
Reputation: 4618
They rely on cross domain browser policies
document.getElementById('myframe').contentDocument
Is not accessible because the contentDocument is on another domain (facebook). There is no way you can trigger a click programmatically.
document.querySelector('iframe').contentDocument<!DOCTYPE html>
<html>
<body>
<iframe src="http://www.w3schools.com"></iframe>
</body>
</html>DOMException: Failed to read the 'contentDocument' property from 'HTMLIFrameElement': Blocked a frame with origin "null" from accessing a cross-origin frame.
Upvotes: 1
Reputation: 816790
But what's stopping anyone from triggering an event into that iFrame?
iframes are subject to the same-origin policy and thus can only be accessed by the parent if it is served from the same domain.
More info: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe
Put differently: Facebook (or any other service) doesn't do anything in particular, the security is built into the HTML/DOM/browser.
Upvotes: 2
Related Questions
- Attach a click() event to the FaceBook 'Like' button?
- How does the Facebook Like button work?
- Does facebook like button vulnerable to clickjacking?
- Addmefast.com checks the Like button clicked in new window? How
- How does Facebook's Like button iframe expand with a popover and not screw everything else up?
- How can capture like event of facebook like button on iframe?
- Facebook Like Button in iframe without posting
- Why doesn't the Facebook "Like" button honor its parameters when inserted via JavaScript?
- Why the facebook iframe like button is not working ?
- Facebook Like button on an iframe application