(Update: As a result of this post Disqus fixed this issue on 9th Jan! See here)
Recently I was making some tweaks to my blog and reviewing the page load time. I noticed that when I loaded an article the Facebook SDK was being loaded!
This was a bit strange as I didn’t recall ever having added any Facebook widgets to my blog. Not only is this somewhat wasteful and harming my load time, it also bugged me that visitors were having these URLs sent to Facebook. I’ve always thought it strange that Facebook seems to know everywhere I’ve been and it seems my blog is adding to this without me even knowing!
So, I checked why this file was being loaded and was surprised to see Disqus as the initiator. I do have Disqus comments on my blog but that doesn’t seem like a good reason to have the Facebook SDK loaded immediately! I tweeted Disqus though unsurprisingly haven’t recieved a response.
Fast forward a week and I was reading Troy Hunt’s I just permanently removed all ad network code from my blog. Troy cited tracking as one of the reasons for removing ads (I strongly support this decision; running unknown JavaScript from ad networks on an HTTPS site always seemed a bit weird to me). In a response on twitter I noticed someone asked him about still having Disqus, which reminded me about what I’d seen on my blog and wondered if the same thing happened there that I saw on my blog.
Well, it turns out it does. Here’s Troy’s blog loading the Facebook SDK and clearly sending the URL for the post I’m reading to Facebook in the referer header (it’s URL-encoded in the querystring of the Disqus comments frame URL).
Now, you might say that this isn’t really the URL of the page, it’s going via Disqus and Facebook won’t read it. I’d counter that since Facebook are very interested in tracking where you visit and Disqus is so common that it is in their best interest to understand this URL and extract the real article URL from the querystring.
I did a little more digging and discovered that this only happens if you’re not logged in to Disqus. It also happens even if Do-Not-Track
is enabled in your browser. It’s almost certainly as a result of the “Sign in with Facebook” functionality however I don’t believe it has to be (nor should be) this way. If I implemented “Sign in with Facebook” on my site directly then I’ve chosen to pull the Facebook SDK in and probably understand the implications. Adding Disqus comments doesn’t really scream out that the Facebook SDK will be loaded for all “anonymous” visitors even before they’ve scrolled anywhere near the Disqus comments.
I’m certain Disqus could fix this, not only resulting in better load times but also better privacy for users. Yes, logging in with Facebook might become slightly slower as a result but this doesn’t seem like a compelling enough reason to keep it as-is to me.
I don’t think Disqus will change this as a result of my tweet so I figured I’d try and raise some awareness and maybe that would help encourage them.
Yes, my blog is still using Disqus today. If they don’t fix this then I will probably investigate moving away. I don’t know what good alternatives exist (or how easily I can move all existing comments - which have great value on some posts) so it will take some time if it happens.