The Support Forums will be in read-only mode for a scheduled maintenance window on 01 September 2016 14:00 UTC - 20:00 UTC. More information.

Social Login
Priivacy issue and unnecesarry loading of remote OneAll Javascript (6 posts)

  1. normadize
    Posted 3 years ago #


    I love the OneAll plugin. However, there is one thing that I'm not fond of, and that is that it is loading the remote library.js from http://<your_domain>.api.oneall.com/socialize/library.js for EVERY page ... regardless of whether you sign in or not, regardless of whether you sign in through OneAll or directly through the local WP, regardless of whether you have comments enabled/showing or not, etc.

    The file is 44 KB (gzipped to 11 KB). First, it is just unnecessary to load it on every page regardless of the sign-in state and method!

    Secondly, it is a security/privacy issue. OneAll effectively sees all the activity on my site, from every visitor ... it's like having Google Analytics installed. Except that for Google Analytics I give explicit permission (and I also get to see the stats).

    Please fix this! I won't be able to continue using or recommending it.

    Otherwise, just keep up the good work.

    p.s. You just need to add a few pertinent conditions in user_interface.php at line 13.


  2. Alex Schenker
    Posted 2 years ago #

    Try using the "Plugin Organizer" plugin and disabling "Social Login" on all but your wp-login.php page.

  3. mightypixel
    Posted 2 years ago #

    @nomadize, excellent point. +1

    I have actually contacted OneAll but have yet to hear back from them on this.

  4. mightypixel
    Posted 2 years ago #

    I have come up with the following solution until this is addressed.

    Please feel free to correct/improve:

    // if not login/register page, deregister oneall social login library.js
    function oneall_deregister_javascript() {
    	if ( !is_page( array( 'login', 'register' ) ) ) {
    		wp_deregister_script( 'oa_social_library' );
    add_action( 'wp_print_scripts', 'oneall_deregister_javascript', 100 );
  5. normadize
    Posted 2 years ago #

    @mightypixel: the person behind OneAll (it's just one person) does read and reply in these forums (*) and you can be sure he read this thread too. I'm disappointed by the lack of reaction towards such important issues ...

    I would go as far to say that the OneAll plugin should be banned by WP for this privacy breach given that it is not specified in the docs or at install time, nor asks for relevant permission.

    I've stopped using OneAll and have been since recommending against it.

    (*) he had some interventions in other threads (see the thread regarding the logo/brand removal) which were also disappointing.

  6. ImTheirWebGuy
    Posted 2 years ago #

    @mightypixel, couldn't we extend your idea of deregistration to deregister the remote js and replace it with a local call? Obviously, that would move the burden of version control to the local dev, but it seems a neat solution to the offsite script code concern.

Topic Closed

This topic has been closed to new replies.

About this Plugin

  • Social Login
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic