I just got bitten by this. I was visiting a news site and opened ~30 tabs to things I wanted to read. And then those tabs just showed me an error message. Frustrating :(
Edit: Might be worth noting that logging out of FB "fixed" this for me. (But I had to go back and re-open all those tabs.)
works fine for me, perhaps because I have never used Facebook to log into it.
AFTER EDIT: Replying to the kind reply to this comment, I am ALWAYS logged in to Facebook (with AdBlock Plus and Social Fixer and Ghostery activated, using Chrome), and I was surfing all over the Web completely normally while sites were reported to be redirecting. So maybe something different about my set-up protected me from the problems many other users observed today.
With Ghostery running, it should not even load anything from a Facebook domain. The (buggy) code to redirect people to facebook.com would no doubt be served fromFacebook themselves. Stopping that code from being served to your browser means they can't redirect.
I absolutely love Ghostery and other related tools.
It's not whether you've ever used Facebook to log into The Economist's site, but whether you were logged into Facebook at all. If you were, you were redirected.
EDIT: By the timestamp on your comment, the issue appears to have been fixed, anyway.
A perfect case study in why the current practice of "just add a script tag with 'facebook.com/whatever.js' into your page and all your LIKE buttons will work magically!" is an absolutely terrible idea.
It's only a terrible idea if you don't have a kill switch. It's also only a terrible idea if the benefits do not outweigh the costs of something like this happening (and you being unable to respond to it.)
Adding the JS file is simple and up until now has always worked. If it ends up driving tons of traffic back to your site it seems worth it.
'Absolutely terrible' is a just a wee bit hyperbolic. It is an idea that has positives and negatives, but you only notice it when it does this. And how many times has it done this since they've implemented it?
Broken behavior related to this happens quite often actually. I've had sites that were bitten by this or some variant. If you follow the Facebook bug tracker it comes up every now and then (it might be localized to a degree in some cases). They do move fast and I think fix it quickly in most cases. In fact there was something that was broken just last week here on HN but the behavior wasn't something that affected so many sites to this degree.
This particular bug is just as likely either way; the js must be changing window.location, there's no reason to think the iframe wouldn't change window.top.location.
I just removed the FB connect code from Pen.io - Causing automatic redirects for all logged in users. Luckily it was easy to kill for us and won't cause users any issue with logging in.
from the same article:
" Instead, the company is standardizing the interactions between Facebook and third parties via Facebook's new Open Graph protocol and the OAuth 2.0 standard."
This outage goes to show that a lot of people who have implemented Facebook Connect are doing it wrong. If the only way people can login to your website or application is via Facebook then you deserve every bit of downtime you get (cynical, but true). You should never solely rely third party service at any time, regardless of how big to fail they appear to be. Always allow a user to login more ways than one.
Facebook logins for mobile web pages is also failing for many users (which Facebook considers "Priority: Low"). Facebook has been having serious blocking issues for days.
I poked around a bit. When you include Facebook's JS, it calls on a PHP file which (inter alia) returns a <meta> tag with a redirection instruction taking you to the broken page.
As pointed out in the previous post, you should not rely 100% on Facebook as your Auth gateway. You should have an alternative for your users to login in case of something like this happens.
Does this only affect those logged in to Facebook? I quit Facebook for a year so I'm not sure whether it is fixed or whether I was just not bothered by it at all
Again, building large things on big proprietary services is a bad idea unless you understand what you're getting into.
I can almost guarantee that the folks that implemented FB connect didn't understand that the failure mode could forward all traffic to FB. I have no idea how that could become a rational design decision.
Appears to be "fixed" now. Economist.com no longer redirects. FB's own developer pages (https://developers.facebook.com/roadmap/) used to manifest this too, and no longer do.
This pushed us to implement a kill switch for our facebook functionality. Something we'll keep in mind the next time we're integrating with third party services.
Or give up closed, centralized systems altogether and take a look at Mozilla's Persona project -- the open web deserves open, federated authentication systems.
(N.B.: I work on Persona, and it does have a centralized fallback for bootstrapping browsers and identities. The difference is that the centralization is temporary, optional, and automatically goes away over time.)
