Facebook Bug Redirects the Web Through Javascript Widget Error

You may have heard that Facebook took down a significant portion of the
Internet
today
.
A bug in their Facebook Connect script — which is installed widely
across many sites including CNN, MSNBC.com, New York Magazine, and many
more places — caused users to be redirected to a Facebook error page.
Here’s a video of what it looked like if you visited NBCNews.com:

The incident raises two good points: 1) the risk of Javascript widgets
creating a “single points of failure” on your web page; and 2) the ways
in which CloudFlare can help protect you from similar errors.

Widgets & SPOF

Facebook Connect works as a piece of Javascript that is embeded on
pages. When the bug occurred, the Javascript effectively hijacked the
page and directed it somewhere else. It may seem like installing a
widget such as the Facebook button is harmless, but today’s incident
shows how much harm it can actually cause.

Björn Kaiser wrote a great blog post
last year about the risks that embedded Javascript widgets can
create
, and how their
failure can create a single point of failure (SPOF) on your site. In the
post, he describes how you can test the embedded widgets on your page to
see what would happen if any of them fail. Given that no widget
provider, even Facebook, is infallible it is important to understand the
risk of widget failure bringing down your site.

How CloudFlare Helps

There are two distinct ways in which CloudFlare helps protect you from
Javascript widgets taking down your site. The first is via our Rocket
Loader feature.

While we don’t describe it this way often, Rocket
Loader
is effectively an on-page
Javascript optimizer. It sits in front of widgets and makes sure they
load as fast as possible. It also has a number of failsafes that can
protect from any widget hijacking your site the way Facebook’s Connect
service did today. While we primarily describe Rocket Loader as a
performance feature, in this role it’s also very helpful for security
and site availability.

Facebook Bug Redirects the Web Through Javascript Widget
Error

The second way we protect sites from misbehaving Javascript widgets is
through CloudFlare’s app store. Many CloudFlare apps are Javascript
widgets of one kind or another. When you install any CloudFlare app, we
go through the process of making sure that the app performs well and can
run asychronously. This greatly reduces the risk of an
CloudFlare-installed app becoming a SPOF. Moreover, because we can
install, upgrade, and remove apps centrally, if a problem like
Facebook’s had occurred with one of the CloudFlare apps, we could
quickly remove it from pages to keep it from causing harm.

#savetheweb

Today’s Facebook incident shows the risks of misbehaving Javascript
widgets, but it also helps drive home the point on how CloudFlare is
really building a better web. To that end, we will continue to invest in
improving Rocket Loader and adding more and more apps to the CloudFlare
Apps Marketplace. If you haven’t turned on Rocket Loader or added an app
through the CloudFlare Apps
Marketplace
, you now have one more
reason check them both out.

Via Cloudflare.com

No comments yet.

Leave a Reply