59 comments

[ 3.4 ms ] story [ 121 ms ] thread
Not only is it down, but it's redirecting everyone who visits a site with FB Connect on it to this error page. For example: http://www.economist.com
Oooh that's bad. I would be fuming mad if that was happening on my site.
Yes hehehe. Someone will be fired today. :(
That's not how Facebook does things. Actually if you haven't taken down the site, you'll be warned.
(comment deleted)
"Move fast and break things" may work for Facebook.com, but I dunno if souring relationships with important partners will be praised.
(comment deleted)
(comment deleted)
I just got bitten by this. I was visiting a news site and opened ~30 tabs to things I wanted to read. And then those tabs just showed me an error message. Frustrating :(

Edit: Might be worth noting that logging out of FB "fixed" this for me. (But I had to go back and re-open all those tabs.)

The site

http://www.economist.com/

works fine for me, perhaps because I have never used Facebook to log into it.

AFTER EDIT: Replying to the kind reply to this comment, I am ALWAYS logged in to Facebook (with AdBlock Plus and Social Fixer and Ghostery activated, using Chrome), and I was surfing all over the Web completely normally while sites were reported to be redirecting. So maybe something different about my set-up protected me from the problems many other users observed today.

It's not whether you've ever used Facebook to log into The Economist's site, but whether you were logged into Facebook at all. If you were, you were redirected.

EDIT: By the timestamp on your comment, the issue appears to have been fixed, anyway.

With Ghostery running, it should not even load anything from a Facebook domain. The (buggy) code to redirect people to facebook.com would no doubt be served fromFacebook themselves. Stopping that code from being served to your browser means they can't redirect.

I absolutely love Ghostery and other related tools.

(comment deleted)
If you're affected by this logging out of Facebook stops the redirect happening.
Tell that to the millions of users who are just going to blame this on the sites that it's happening to. What a clusterfuck.
(comment deleted)
As pointed out in the previous post, you should not rely 100% on Facebook as your Auth gateway. You should have an alternative for your users to login in case of something like this happens.
This breaks people who have all kinds of other login options. For my site we had to actually exclude the FB JS from our site to prevent the redirect.
A clever way to take over the Internet.
Hmph. And I was just sitting down to do a iOS Facebook connect tutorial.
Seems to be not redirecting anymore, but it definitely was for a while.
Works for me. I just signed into two separate sites with FB Connect.
Does this only affect those logged in to Facebook? I quit Facebook for a year so I'm not sure whether it is fixed or whether I was just not bothered by it at all
Yes, that seems to be the case. Also, it has just apparently been fixed.
Quick, integrate with clef.io instead!
Or https://rublon.com :-) contact me for free API access or vBulletin/phpBB/SMF plugins (mw@rublon.com).
Or give up closed, centralized systems altogether and take a look at Mozilla's Persona project -- the open web deserves open, federated authentication systems.

(N.B.: I work on Persona, and it does have a centralized fallback for bootstrapping browsers and identities. The difference is that the centralization is temporary, optional, and automatically goes away over time.)

A perfect case study in why the current practice of "just add a script tag with 'facebook.com/whatever.js' into your page and all your LIKE buttons will work magically!" is an absolutely terrible idea.
Yep. We prefer the <iframe> solution over their JavaScript-created versions for this reason.
This particular bug is just as likely either way; the js must be changing window.location, there's no reason to think the iframe wouldn't change window.top.location.
IE and Chrome both have ways of restricting iframes from changing window.top.location, but I wouldn't trust them to work.

    IE:
    <iframe src="http://example.com" security="restricted"></iframe>

    Chrome:
    <iframe src="http://example.com" sandbox></iframe>
It's only a terrible idea if you don't have a kill switch. It's also only a terrible idea if the benefits do not outweigh the costs of something like this happening (and you being unable to respond to it.)

Adding the JS file is simple and up until now has always worked. If it ends up driving tons of traffic back to your site it seems worth it.

'Absolutely terrible' is a just a wee bit hyperbolic. It is an idea that has positives and negatives, but you only notice it when it does this. And how many times has it done this since they've implemented it?
Broken behavior related to this happens quite often actually. I've had sites that were bitten by this or some variant. If you follow the Facebook bug tracker it comes up every now and then (it might be localized to a degree in some cases). They do move fast and I think fix it quickly in most cases. In fact there was something that was broken just last week here on HN but the behavior wasn't something that affected so many sites to this degree.
Move Fast and Break Things
Again, building large things on big proprietary services is a bad idea unless you understand what you're getting into.

I can almost guarantee that the folks that implemented FB connect didn't understand that the failure mode could forward all traffic to FB. I have no idea how that could become a rational design decision.

Wow - it's asking me to re-auth the developer app. This is a big bug and we've been very badly bitten by it. Not going to make the same mistake again.
So one day, Mark says to Bill, "Call THAT a monoculture? I got your Central Point of Failure right here!"
Hulu seems to have N-1 redundancy: with Facebook Connect down, I can't even login using my non-facebook Hulu account.