Widgetjacking: Why more social widgets mean less secure Wi-Fi

"Widgets are a security problem for the embedding site" is old news (tptacek has mentioned it more than a few times) but "Widgets mean that certain high-value targets like gmail can get compromised on virtually any Internet session" is an obvious-in-retrospect-but-otherwise-new insight to me. That's significant enough that I would be thinking of some way to separate cookie/authentication architectures for high-value sites for on-site and off-site content. (e.g. You would give the cookie asserting identity as X associated with Facebook comment boxes on 3rd party sites sufficient authorization to post comments but not sufficient authorization to view the Facebook site proper, and otherwise track it in semi-parallel to the main FB cookies, expiring them at the same time, etc etc.)<p>Edit to add: While the "Only allow embedding over HTTPS" is attractive from a security perspective, this is one of those occasions where the business has needs which are distinct from and difficult to subordinate to maximizing security. There's very little difference between that remediation and "Turn off Facebook Likes web-wide, please." and that proposal (presumably) is an auto-fail at FB.

This appears to be similar to Ghostery[1] except that Ghostery just blocks all these beacons/tracking scripts/social media scripts and has much more coverage.<p>[1] <a href="https://chrome.google.com/webstore/detail/ghostery/mlomiejdfkolichcflejclcbmpeaniij" rel="nofollow">https://chrome.google.com/webstore/detail/ghostery/mlomiejdf...</a>

Off topic, but why would you put "html { -webkit-text-size-adjust: none }" in your CSS?<p>Not everyone has great eyesight, and I happen to like being able to zoom in and actually read.