Javascript tools such as PandaWhale's very own bookmarklet.

Pinterest's bookmarklet stopped working on FB long ago. Instead of pinning an image, it just spit out an alert that it could not work on Facebook. Now it seems that Facebook has started setting the script-src directive in the X-WebKit-CSP HTTP header to ban any javascript from loading, except from a few select domains (mainly FB, its own CDN, and a few affiliates).

These types of tools are not an effective way to systematically steal data from FB and post it elsewhere. These tools are really only good for allowing individual users to give app developers a way to piggyback off the user's FB session and pull images and the like out of FB's walled garden.

Now users have one less option for extracting their own data from Facebook. In Zuckerberg's mind, your data ultimately belongs to him, not you, and he wants to set the terms for how and when that data is allowed to move outside of facebook.com.

Is there any way they're trying to justify it as safeguarding users' privacy?

Or are they just trying to stop users from using plug-ins to get our own data?

 I don't know. My guess is that in private meetings they're just as concerned about safeguarding data from up-and-coming websites as they are about limiting the spread of malware, but in press releases this is probably 100% about protecting users.

Protecting users from other websites that might want to give them a vacation from Facebook?

It appears to me that Facebook increasingly wants to be a SINK not a SOURCE.

Just like Twitter.

I believe time will reveal this to be a losing strategy.

The best websites both give and take.

That is, they let you add things from other websites, AND they let you take things to other websites.

Examples include YouTube, Flickr, Pinterest, Reddit, Imgur, and Tumblr.

 Afaik, they can't stop a browser plugin..... Stroking beard... Slow... Growing ... Evil ... Laugh!!!!!!

 Or phantomjs quacking like a duck....

PhantomJS could indeed still load the an external script, but that doesn't provide us with a way to act on behalf of the user because we can't access their FB session like we can in a bookmarklet context. The only way we could use phantom would be if we asked the user to give us login creds, which no one in their right mind would do (though we are going to use Adam's pinterest creds to make phantom auto-pin our daily most popular images!).

A true plugin would still work, but our Chrome Extension is now also b0rked by this change.