We recently had a ticket come in at work that one of our teams was getting prompted on about half the pages they visit on the internet for their credentials.
This particular group has a business requirement that only a few users are able to access facebook to run social media campaigns and such, but the rest of the users shouldn't be allowed to access facebook.com. Because of this, we have a BlueCoat policy for this group which prompts users when they visit "facebook.com".
This policy works perfectly for www.facebook.com, but it has unintended consequences - any page that Facebook has integrated with in some way has an http request to a facebook page - "static.ak.facebook.com".
Because of how Facebook is building relationships to integrate its services on most of the web, our team was getting prompted on almost every internet page they visited. These integrations look like this - note the right side, where users can login with their facebook credentials.
Using Fiddler http debugger, I watched a couple of these pages call out to Facebook. Each one that sideloads facebook from another page uses a "referer" call-out in the http header request. Here's a header request snapshot of fiddler:
Looks like requests to facebook directly have the same host information, but not a referer, because the request is not a 'sideload' to facebook, it's directly accessing the page. That's our solution!
Each of the 'referer' field is unique to the page that is sideloading facebook, so a simple string match won't do. Thankfully, BlueCoats support regex matching of http header fields, so I can create a fiddler policy to exempt the traffic which has a referer field - any page which is integrated with facebook. The final and working policy looks like this: