diff --git a/helios b/helios
index f4bde266d529fd8386aaf31782e9dd530d9d26e4..e8f1320aabf08b3bbb513a53408ec41128e6ead6 160000
--- a/helios
+++ b/helios
@@ -1 +1 @@
-Subproject commit f4bde266d529fd8386aaf31782e9dd530d9d26e4
+Subproject commit e8f1320aabf08b3bbb513a53408ec41128e6ead6
diff --git a/settings.py.sample b/settings.py.sample
index 2221fd1c332c8011811c00e840583a1be0952137..936054af63eb2f760d47e75a8cc512eb6c6ff888 100644
--- a/settings.py.sample
+++ b/settings.py.sample
@@ -109,6 +109,12 @@ LOGOUT_ON_CONFIRMATION = True
 URL_HOST = "http://localhost:8000"
 SECURE_URL_HOST = "https://localhost:8443"
 
+# this additional host is used to iframe-isolate the social buttons,
+# which usually involve hooking in remote JavaScript, which could be
+# a security issue. Plus, if there's a loading issue, it blocks the whole
+# page. Not cool.
+SOCIALBUTTONS_URL_HOST= "http://127.0.0.1:8000"
+
 # election stuff
 SITE_TITLE = 'Helios Election Server'