We have a Facebook app that has been around for a long time. It's a page-based app, loading up in an iframe. Of late, it is failing to load, and this error appears in the Chrome console:
[Report Only] Refused to frame 'https://edit.ihouseelite.com/' because it violates the following Content Security Policy directive: "frame-src *.doubleclick.net *.google.com *.facebook.com www.googleadservices.com *.fbsbx.com".
You can see the problem in our test page:
https://www.facebook.com/Test-page-1158553550884937/app/451851288205481
First - this message starts with "Report Only". Does that mean that this error is not really an error, but perhaps an indication of future problems?
Assuming that it really is an error, how do I fix it? It seems like the CSP is something set by Facebook, so they only permit specific domains to load up in iframes within a Facebook page. Or am I reading that incorrectly? I figured that setting the domain in the App Settings (basic) would adjust the CSP, but it doesn't seem to have done that. We have a couple thousand customers who are using our app, so I would really like to figure out how to fix this. All suggestions welcome.
Yes it's a CSP of facebook, it publishes two CSPs: content-security-policy and content-security-policy-report-only, you can see it in the Dev tool:
Using CSP in Report-Only mode, facebook just test something, there is no real blocking just violation reports sending.
Facebook's CSP cannot be affected just like that, but when creating a legitimate application, facebook should automatically add app's domain to the frame-src directive.
Related
I have a problem with facebook login on Presta Shop. I am using TemplateMonster Social login plugin (tmsociallogin). It worked a few months ago but now it stopped. I am receiveng error:
"Can't Load URL: The domain of this URL isn't included in the app's domains. To be able to load this URL, add all domains and subdomains of your app to the App Domains field in your app settings."
Urls and paths are set correctly in apps settings I think (correct domain, correct redirect URL, correct app domain). You can see my setting on screen shots below.
I have found a lot of answers but everywhere I've seen that I have to uncheck "Use Strict Mode for Redirect URIs" in fb app settings. I cant do that - this option is hardly checked as "Yes" and I can not do anything about that.
Please anybody help me :( Prestashop version 1.6
Apps settings 1
Apps settings 2
Facebook error
It happens because Facebook has changed a security policy and forbidden to use nonstrict mode for a redirect. But the module was using this option to redirect to the same page after login. So now it causes the issue. In order to solve this, you need to remove all mentions about a "back" parameter within all files which are related to Facebook login functionality. I don't know exactly your version of the module but I think the list of files will be the same
controllers/facebooklogin.php
controllers/facebookregistration.php
views/templates/hook/header-account.tpl
views/templates/hook/social-login-buttons.tpl
In the *.tpl files remove only that entities which are related to facebook.
And in your Facebook API you must to add two redirect URLs.:
Whether you use Friendly URL
- your_domain/module/tmsociallogin/facebooklink
- your_domain/module/tmsociallogin/facebooklogin
or not
- your_domain/index.php?fc=module&module=tmsociallogin&controller=facebooklogin
- your_domain/index.php?fc=module&module=tmsociallogin&controller=facebooklink
Also, if you aren't sure yet which mode are you gonna use then you can add all four variants.
It looks like a recent Chrome update broke this by tightening mixed content (https/http) security policies, and I read that Firefox plans to do this too.
Here's the issue:
Say I set the Secure Canvas URL of my app to https://themediadudes.com/httpstest/
That page contains only a link to Google:
Google
When I view the app on Facebook and click the link, nothing happens. An error appears in the console:
[blocked] The page at https://apps.facebook.com/myappname/ ran insecure
content from http://www.google.com/.
I understand that having insecure scripts/stylesheets etc. on an https page isn't allowed, but a simple link to a different website shouldn't be blocked right?. I assume Facebook is running some scripts which do something with the page before sending the user there? Which causes the error.
If I set the target of the link to _top or _blank it works.
Ideally I want to be able to use a javascript window.location to send the user to this insecure URL, or header('Location: blah'); in PHP. But neither of those work either. And it looks like this is a bigger problem than that if even a simple link to an insecure URL doesn't work.
I thought it may be caused by whatever makes the 'fluid' canvas width and canvas height settings work. But I tried setting both width and height to fixed and the problem still happens.
Does anybody have a solution or workaround, or can anybody at least shed some more light on this?
Thanks
I've been struggling with a similar issue and the answer seems to be that it is not possible at all to reference any non-https resources from within your page tab app. Of course if a google link is all you require then that is simply resolved (as google has a https version of course) but referencing external non-https sites will always turn up this warning/block in chrome
Additionally, I should add that I have noticed that the 'page tab URL' section requires a url to a particular page, whereas the 'canvas URL' needs to link to a directory. This does not seem to be documented and will also give the insecure content message in chrome and prevent the page tab app from loading
I have created a new Facebook app. Whenever I visit the canvas page (https://apps.fac...) I get redirected to the Facebook 4oh4 page.
The canvas URL is set to: https://mgnewmedia.com/brandgame/
Which you will see is as basic as it could possibly be, yet I still get a 404.
I have used the debug tool, which does read it fine. I have checked the URL on other Internet connections and on other Facebook accounts, all 404. The app's canvas page is: https://apps.facebook.com/brandgame/
I have deleted the app and re-added it with no luck. I have also tried putting sample apps in place incase it's 404'ing due to no SDK being present, but that's not the case either.
I have a full, valid SSL certificate in place on the hosting, as you can see. I run several apps on here already with no such issues.
Full list of settings below:
App ID/API Key:
**
App secret:
**
App Namespace:
brandgame
Canvas Page:
https://apps.facebook.com/brandgame/
Canvas URL:
https://mgnewmedia.com/brandgame/
Secure Canvas URL:
https://mgnewmedia.com/brandgame/
Canvas FBML/iframe:
iframe
Contact Email:
**
Support Email Address:
**
App Description:
If you havent changed anything it will just be the delay in the setup as everything seems to be working fine here?
Can provide screenshot's if you want?
This was a bug with Facebook, it was listed on their Bug list tracker shortly after I posted this. It has not yet been resolved, but a work around has been posted. Essentially you add the app, rename it, then rename it back, waiting 20mins or so between each step.
It's worth noting that this doesn't affect everyone making apps, only certain accounts. I assume this is down to data centre allocation, or something such like.
I'm implementing the facebook Comments plugin on my site. Users get the warning "Show all content" in IE9
This other publisher using the same plugin and it does not bring up the warning.
Can some please help me with this?
Asking users to turn of the mixed content warning in their IE9 is not an option.
We were just looking at this today and our workaround for now was to include the Facebook Library over https (even when the page itself is viewed over http). Although not ideal it gets rid of the mixed content warnings in IE9 until they have fixed their bug.
That seems to be how it was accomplished at www.vg.no linked in the original question, the library is linked via https.
From their code:
<script src="https://connect.facebook.net/nb_NO/all.js"></script>
I have the same problem:
I have a page that's 100% http. But, the facebook javascript (which I call over http), is returning assets (.js, images) over https, which is generating security warnings for IE(9) users.
I have figured out it's the comment widget from Facebook (
Here's an example of a live page on http: with the error:
http://app.gophoto.com/p?id=10173&rkey=CD01891B287792415384&s=1&a=6940
Here's one of the assets that Facebook returns over HTTPS
https://s-static.ak.facebook.com/rsrc.php/v1/y8/r/7Htnnss1mJY.js
(I'm unable to comment (for some reason?) on Joel's answer. But, his suggestion to fetch the initial all.js over https on http sites does not actually work. I've tried it, and it also inherently looks incorrect since even the initial js fetch violates the mixing up of http & https content.)
A customer site that I cannot change has the line document.domain = "example.com" while the site is at www.example.com.
The effect is that FaceBook Connect window login gets stuck after submitting username+password.
Firebug shows its in infinite loop inside dispatchmessage function, which gives perpetual exception:
Error: Permission denied for <http://www.example.com> to get property Window.FB from <http://example.com>
Any idea how to work around this? I prefer not to ask the customer to remove the document.domain='example.com'
It seems like a really bad idea to tell the visitor's browser that the website is being served from a particular domain, when it in fact is not. The best solution would be to change that line. I take it you don't want to change it because they have some client-side code that depends on this?
One workaround would be to change the Facebook application's Connect URL to http://example.com, since Facebook's JavaScript will think that is where it is being executed.