Facebook doesn't want to think about your protection, however you may as well. Facebook brings about OAuth2 -book lovers of my online journal know how shitty OAuth2 is and how awe inspiring OAuth2.a can be.
Applications truly can't need authorizations ('scope' param). They suggest it, yet you can pick them -redesign commission URL.
Sample -you are redirected to:
https://www.facebook.com/dialog/oauth?client_id=130409810307796&redirect_uri=http%3A%2F%2Fapps.facebook.com%2Ftetris_battle%2F%2F%3Fkt_track_apa%3D1%26reload%3D1%26reloadTime%3D1346239416%26localJS%3Dfalse&state=6997cb601838cb0fb65d53aecbebcd21&scope=publish_actions%2Cemail%2Cuser_location%2Cuser_birthday
Just change 'scope' param
https://www.facebook.com/dialog/oauth?client_id=130409810307796&redirect_uri=http%3A%2F%2Fapps.facebook.com%2Ftetris_battle%2F%2F%3Fkt_track_apa%3D1%26reload%3D1%26reloadTime%3D1346239416%26localJS%3Dfalse&state=6997cb601838cb0fb65d53aecbebcd21&scope=
Besides approve the application. You allowed nothing unique yet application works -like.
UPDATE:
The post had nothing to do with security. I was pestered with loathsome truth "you can ask consents, it will look legit and client can't uncheck them in UI. Well depending on if he's brilliant enough to change URL -you need to file authorizations in your code"
There are two routes to alter it (OAuth2.a manages the issue thusly):
1) when application has "solidified" scope. This is not param in URL anymore, just a field in the database. Planner doesn't have to verify what is permitted anymore -he is certain.
2) when application has "deft" scope. Client 'recommends' scope and User can uncheck not sought consents. Application may as well check expressly what was allowed.
The most effective method to Cheat On Facebook Apps Permissions . There are any The most effective method to Cheat On Facebook Apps Permissions in here.
