Is the bad javascript coming from facebook.com
or FBCDN.com? Just wondering if “Noscript” will block this if we have
only whitelisted Facebook.com or perhaps facebook.com and also
FBCDN.com? If the javascript is from an “external” site will Noscript
protect us? Or is the bad javascript coming from Facebook itself?

Roseman, the bad JavaScript comes from the
“bad” site hosting the fake image, so NoScript should protect from this.
I actually wanted to add that into the diary but somehow forgot 🙂

Just to make things clearer, NoScript will
protect you against Clickjacking attacks no matter whether the two sites
involved are or not whitelisted, because the ClearClick feature (which
is the only effective client-side protection so far against
Clickjacking) works independently from scripting permissions.

http://noscript.net/faq#clearclick

The ‘like’ button could have been designed to
use a simple GET hyperlink to a URI such as
http://facebook.com/like?uri=http://example.com/, at which there could
be a confirmation page including a POSTed HTML form with a nonce/token
field to prevent XSRF.

But then that involves a whole extra mouseclick so doesn’t qualify as
being 2.0-sleek. Much rather require that sites use IFRAMEs despite
them being deprecated for 10 years now I think. This way, third-party
web pages have the pleasure of loading whatever bloat from Facebook. If
browsers send an HTTP Referer header when loading the IFRAME, Facebook
get the extra bonus of being able to track people’s browsing activities
to any site that shows one of these buttons, whether they’re logged in, a
registered member, or not.