Earlier this year, the Site Integrity team wrote about a tool called “link shim” to warn people about potentially spammy or malicious links. While this tool did an excellent job of protecting people, this implementation caused a delay while your browser performed an extra round trip to Facebook’s servers in order to check the link for maliciousness and hide the referrer.
When I joined Facebook as an intern this summer, I worked on a project to remove this delay, saving people around a second every time they click an external link. In order to do this, I needed to ensure the link shim maintained its security and privacy enhancing functionality.
Detecting Maliciousness
Instead of checking the suspiciousness of a given link on Facebook after a person clicks it, we now check every link on the page before it’s sent to the browser. This is much more intensive than checking only clicked links, but we were able to accomplish it while maintaining user safety. If we find a link to be suspicious, we use the old interstitial warning page; otherwise we allow the user through to the link itself.
Restricting the Referrer
We still need to let the websites you navigate to know the traffic is from Facebook, but we also want to prevent them from reading the full source url. Otherwise, they could know where on the site you were when you clicked their link. In order to strike this balance, we’ve taken advantage of a new feature called the meta referrer, currently available in Chrome 17+ and Safari 6+. This allows us to specify how much of the source url to share with the external site via the Referer header. If you’re using one of these supported browsers you can take advantage of this new feature. Otherwise, your browser will be routed to the slightly slower older system.
This change should reduce the impact of the link shim on your browsing (especially when accessing Facebook from a cellular network) and should help save around a second for a typical user.
*Credit goes to Matt Jones for suggesting this project as well as to Allan Stewart, Chetan Gowda, and Abe Parvand for helping me implement it.*
Ari Chivukula, a former intern on Facebook’s Site Integrity team, estimates this change will save him around 10 hours every year.