Roshan Praveen Shetty
HomeBlogPhotography
Back to Blog

The Hidden "Like": How Sites Can Force Clicks and How to Do It Right

10/9/20253 min read

A person's finger hovering over a mouse, illustrating the action of clicking.

Ever discovered you've "liked" a Facebook page you have no memory of visiting? You're not alone. This isn't always a mistake; sometimes, it's the result of a deceptive web technique known as clickjacking. In this post, we'll explore the dark pattern behind this trick and, more importantly, discuss the ethical way to integrate social widgets.

The Dark Pattern: An Invisible Trap

The unethical method involves layering a Facebook Like button inside an invisible <iframe> that follows your cursor around the page. Any click you make—whether it's on a link, an image, or just an empty space—is secretly hijacked by the invisible button layered directly underneath your pointer.

Here’s a simplified look at how it’s done. Warning: This technique violates platform policies and is presented for educational security analysis only.

<!-- The Like button is placed in an iframe -->
<iframe id="like-scaffold" src="https://facebook.com/plugins/like.php?href=YOUR-PAGE-URL"></iframe>

/* The CSS that makes the button an invisible, cursor-following trap */
#like-scaffold {
  position: fixed; /* Takes it out of the normal document flow */
  top: 0;
  left: 0;
  width: 50px;  /* Just big enough to contain the "Like" part */
  height: 25px;
  opacity: 0; /* The button is made completely transparent */
  z-index: 9999; /* Ensures it's on top of everything else */
}

A JavaScript mousemove event listener would then continuously update the top and left properties of the iframe to match your cursor's clientX and clientY coordinates. The result? A hidden button that's impossible to avoid.

The Ethical Way: The Facebook JS SDK

The right way to integrate a Like button is to be transparent. The Facebook SDK provides a clean and event-driven way to do this. You embed the button visibly and can subscribe to events to know when a user interacts with it.

<!-- A visible container for the button -->
<div class="fb-like" data-href="YOUR-PAGE-URL" data-width="" data-layout="standard" data-action="like" data-size="small" data-share="true"></div>

<!-- Load the SDK asynchronously -->
<div id="fb-root"></div>
<script async defer crossorigin="anonymous" src="https://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v12.0&appId=YOUR_APP_ID"></script>

You can even use the SDK to react when a user likes your page, perhaps by thanking them or unlocking a piece of content—all without resorting to deception.

FB.Event.subscribe('edge.create', function(response) {
  console.log('User liked the page!', response);
  // Example: Show a thank you message
  showThankYouBanner();
});

How to Defend Against Clickjacking

As developers, it's our responsibility to protect users. Here are key defense mechanisms:

  1. X-Frame-Options Header: This HTTP header tells the browser whether it's allowed to render your page inside an <iframe> or <object>. Setting X-Frame-Options: DENY or X-Frame-Options: SAMEORIGIN is a powerful first line of defense.

  2. Content-Security-Policy (CSP): A more modern and flexible alternative is the frame-ancestors directive in your CSP header. Content-Security-Policy: frame-ancestors 'none'; provides robust protection against your site being framed by malicious actors.

  3. UI Design: Avoid patterns where critical actions can be performed with a single click on a large, generic overlay. Always prefer explicit user confirmation for sensitive actions.

Ultimately, building trust is paramount. By using transparent methods and robust security practices, we can create better, safer experiences for everyone on the web.

Enjoy this post?