Priivacy issue and unnecesarry loading of remote OneAll Javascript

  • normadize

    (@normadize)


    11 years, 1 month ago

    Hi,

    I love the OneAll plugin. However, there is one thing that I’m not fond of, and that is that it is loading the remote library.js from http://<your_domain>.api.oneall.com/socialize/library.js for EVERY page … regardless of whether you sign in or not, regardless of whether you sign in through OneAll or directly through the local WP, regardless of whether you have comments enabled/showing or not, etc.

    The file is 44 KB (gzipped to 11 KB). First, it is just unnecessary to load it on every page regardless of the sign-in state and method!

    Secondly, it is a security/privacy issue. OneAll effectively sees all the activity on my site, from every visitor … it’s like having Google Analytics installed. Except that for Google Analytics I give explicit permission (and I also get to see the stats).

    Please fix this! I won’t be able to continue using or recommending it.

    Otherwise, just keep up the good work.
    Cheers.

    p.s. You just need to add a few pertinent conditions in user_interface.php at line 13.

    http://wordpress.org/extend/plugins/oa-social-login/

Viewing 5 replies - 1 through 5 (of 5 total)
  • Alex

    (@asterix)

    10 years, 4 months ago

    Try using the “Plugin Organizer” plugin and disabling “Social Login” on all but your wp-login.php page.

    mightypixel

    (@mightypixel)

    10 years, 3 months ago

    @nomadize, excellent point. +1

    I have actually contacted OneAll but have yet to hear back from them on this.

    mightypixel

    (@mightypixel)

    10 years, 3 months ago

    I have come up with the following solution until this is addressed.

    Please feel free to correct/improve:

    // if not login/register page, deregister oneall social login library.js
function oneall_deregister_javascript() {
	if ( !is_page( array( 'login', 'register' ) ) ) {
		wp_deregister_script( 'oa_social_library' );
	}
}
add_action( 'wp_print_scripts', 'oneall_deregister_javascript', 100 );
    Thread Starter normadize

    (@normadize)

    10 years, 3 months ago

    @mightypixel: the person behind OneAll (it’s just one person) does read and reply in these forums (*) and you can be sure he read this thread too. I’m disappointed by the lack of reaction towards such important issues …

    I would go as far to say that the OneAll plugin should be banned by WP for this privacy breach given that it is not specified in the docs or at install time, nor asks for relevant permission.

    I’ve stopped using OneAll and have been since recommending against it.

    (*) he had some interventions in other threads (see the thread regarding the logo/brand removal) which were also disappointing.

    ImTheirWebGuy

    (@imtheirwebguy)

    10 years, 1 month ago

    @mightypixel, couldn’t we extend your idea of deregistration to deregister the remote js and replace it with a local call? Obviously, that would move the burden of version control to the local dev, but it seems a neat solution to the offsite script code concern.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Priivacy issue and unnecesarry loading of remote OneAll Javascript’ is closed to new replies.