The Security Configuration
A site I began managing last year uses the “Allow Listing” feature to block traffic sent from users on various domains when using the Meta Pixel. The site’s three domains are present as expected in the Facebook Pixel Settings, listing as shown below:
Allow List
recognized.domain.com and subdomains
recognized.domain2.com and subdomains
…and so on…
The Allow Listing also lists these strange entries after the domains, like this:
iframe7.html and subdomains
iframe8.html and subdomains
iframe9.html and subdomains
iframe10.html and subdomains
…and so on…
I am not sure why these were added by the person who managed the site before me. How are these iframe1x.html entries parsed by Facebook when using the Meta Pixel?
Additional context:
Out of curiosity, I attempted to manually craft requests with matching URI elements using cURL (modifying the Referrer: https://wrong.domain.com/iframe7.html header to include matching URI elements when sending from a foreign domain), but I don’t think I could bypass the filter as the URI element did not report as a domain generating any requests. Facebook’s official documentation also lacks any information on this, and I can’t tell if Facebook correctly reports information for URI elements, as it seemed to report at least 1 iframe.html entry creating requests when I last observed the block list.
I also notice the Pixel constantly receives millions of requests from hundreds unidentified websites, as if the Pixel itself is installed on these unidentified websites. The unidentified websites in question don’t have the Pixel installed in any obvious place though, and these unidentified websites are usually other ecommerce or school LMS websites. I wasn’t sure what was happening here, and the statistics for these unidentified websites were missing in the regular pageview data that Facebook provides for events. These sites also do not show as explicitly blocked in the Allow List editing interface either.
I could not confirm or deny if the statistics received from these unidentified websites was actually getting added to my Pixel either, as the testing functionality does not seem to reveal if a request is blocked for security reasons in real-time. A select listing of unidentified domains appeared blocked for unrelated policy reasons, but I have no idea if the iframe.html entries function to unblock other unidentified domains in some form.
tantalized-apple is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.