Notifications are fetch from mobile.facebook.com, that's mean the site interface will depend on (custom) user agent, for eample.
if you spoof as Firefox 13, you will get the basic site layout.
if you spoof as Chrome or any mobile browser that modern enough, you will get the touch screen (aka. likely official app) layout.
In my opinion, using or fetching notifications from mobile.facebook.com is less trust, because I never see this subdomains included when use touch.facebook.com on generic connections (home or workplace Wi-Fi), however on mobile data, if I've forced Face Slim to load mobile site (that always go to touch.facebook.com when open app, anything will be fail to load due to their system switch XMLHttpRequest query to call from or sent to mobile.facebook.com instead, but the CORS policy forbid and prevent that things to be happen.
In other words, Facebook seems to trying to switch subdomains who use Facebook on mobile site with data plan.
And occasionally connect to h.facebook.com without proper HTTPS protocol, that's why it's likely less trust and possibly dangerous.
Suggestions
Fetching notifications should use subdomains that respect user settings, e.g.
If you select Force basic site, all notifications should fetch and/or open from mbasic.facebook.com
And rest of it should be the same. e.g.
touch.facebook.com for users who choose to force the app to load mobile site.
0.facebook.com for Facebook Zero users.
m.facebookcorewwwi.onion for users who use TOR/Orbot.
Current behavior
mobile.facebook.com
, that's mean the site interface will depend on (custom) user agent, for eample.mobile.facebook.com
is less trust, because I never see this subdomains included when usetouch.facebook.com
on generic connections (home or workplace Wi-Fi), however on mobile data, if I've forced Face Slim to load mobile site (that always go totouch.facebook.com
when open app, anything will be fail to load due to their system switch XMLHttpRequest query to call from or sent tomobile.facebook.com
instead, but the CORS policy forbid and prevent that things to be happen.h.facebook.com
without proper HTTPS protocol, that's why it's likely less trust and possibly dangerous.Suggestions
mbasic.facebook.com
touch.facebook.com
for users who choose to force the app to load mobile site.0.facebook.com
for Facebook Zero users.m.facebookcorewwwi.onion
for users who use TOR/Orbot.