originally published by cbrodigan, Feb 2012
When creating a sub-site, here are two things that could potentially be security issues:
Since the site collects email addresses the site must be exclusively served over HTTPS and the email address collection page must submit the form via HTTPS
2. Facebook & Twitter buttons
Please instruct the developers to review their FB and Twitter buttons prior to finalizing the application.
Here's how to test this:
1. Within Firefox, Go to Tools->Web Developer->Web Console
2. In the new window click on the buttons to disable display of CSS, JS, and Web Developer (Only Net should be visible)
3. Clear any data in the current window (the clear button is on the upper right)
4. Load the Mozilla page
5. Review the requests in the window for anything that has facebook.com or twitter.com
6. If you see any requests to these sites that occur without the user taking any action on the site, then we have an issue
We've accomplished a privacy friendly sharing feature in our other sites. An example can be found here. Just click on the "Share It" button to see options for twitter and facebook. This design only sends requests to facebook/twitter after the user has clicked on the respective icons. Simply viewing our Mozilla page does not result in the user transmitting information to facebook or twitter.