I have had a working Facebook widget (like-share buttons) on my website for long now, but since yesterday they stopped working.
I verified that other sites i know are having the same errors.
Cause of the error is the X-Frame-Options: SAMEORIGIN header i have in my website.
The problem is: this header never gave any issue with those buttons. Now i see in the console that they throw an error when they try to load a script that is denied from my security headers (as it should be).
Does anyone know if the Facebook team is going to fix this soon, else, does any one know how to replace the Facebook like-share buttons with another equivalent Facebook widjet?
Thanks.
Related
We have a Facebook app that has been around for a long time. It's a page-based app, loading up in an iframe. Of late, it is failing to load, and this error appears in the Chrome console:
[Report Only] Refused to frame 'https://edit.ihouseelite.com/' because it violates the following Content Security Policy directive: "frame-src *.doubleclick.net *.google.com *.facebook.com www.googleadservices.com *.fbsbx.com".
You can see the problem in our test page:
https://www.facebook.com/Test-page-1158553550884937/app/451851288205481
First - this message starts with "Report Only". Does that mean that this error is not really an error, but perhaps an indication of future problems?
Assuming that it really is an error, how do I fix it? It seems like the CSP is something set by Facebook, so they only permit specific domains to load up in iframes within a Facebook page. Or am I reading that incorrectly? I figured that setting the domain in the App Settings (basic) would adjust the CSP, but it doesn't seem to have done that. We have a couple thousand customers who are using our app, so I would really like to figure out how to fix this. All suggestions welcome.
Yes it's a CSP of facebook, it publishes two CSPs: content-security-policy and content-security-policy-report-only, you can see it in the Dev tool:
Using CSP in Report-Only mode, facebook just test something, there is no real blocking just violation reports sending.
Facebook's CSP cannot be affected just like that, but when creating a legitimate application, facebook should automatically add app's domain to the frame-src directive.
Humbly asking for any assistance people have time to give me on this one. Let me start by saying that I am aware there are previous questions about this on this site and elsewhere on the web; I have read a lot of them, and they are either unanswered/resolved, had a particular cause that doesn't apply to me, or suggests things I have already done.
Over the past few days, Facebook has suddenly stopped scraping my website posts successfully, so when I paste a link into Facebook it pulls nothing through - no thumb or description. I run the links through the FB lint/debugger, and it alternates between 403 and 503 response codes, but mainly 403. Previous links that Facebook has cached/successfully scraped still display with thumbs and desc, but still present as a 403 or 503 response.
My site is http://21stcenturyburlesque.com
One of the new URLs I have been testing is : http://21stcenturyburlesque.com/the-burlesque-top-50-2013/
I have checked with the server/host people. Nothing has changed, everything fine.
I have tried with the default wordpress theme. No change.
I have read threads about Bullet Proof Security causing issues, although why it suddenly would I don't know. It was deactivated on my site anyway, but I went through the removal process to remove the htaccess file with the BPS code in it. I have then run debug without an htaccess file present, and with a very basic htaccess present. No change.
Hotlinking protection is disabled in my cpanel.
I have experimented with adding/removing www. and / when I paste the link into lint as someone suggested. No change.
I use Facebook OGP Wordpress plugin. I spoke to the creator and he says the plugin is working as it should and to contact my host/server. See bullet one.
I tried creating a new FB App and using the new App Id number with the OGP plugin. No change.
Checked the cpanel error log. This came up three times tonight:
[Fri Nov 01 21:47:53 2013] [error] [client 193.242.149.35] File does not exist: /home/**/public_html/403.shtml
There are a few other things I ruled out but I've been at this for so long I can't remember all of them, so if someone suggests something else I've tried then I apologise for not mentioning it here in advance.
If anyone can suggest anything else, I would really appreciate it. I manage to fix most technical problems I come up against, but this has stumped me and my much more experienced colleague and it is really affecting my clickthrough rates and site traffic. If it comes down to adding things to my htaccess file, I would appreciate guidance on what to add/remove. Many thanks in advance.
I had the same problem. Drove me crazy for hours (maybe days). In your FB app settings make sure that the top Facebook url has http://
This question is similar to: Facebook Error 191 on canvas app using FB.ui() for the 'feed' dialog (worked before, stopped working last week) which was never answered.
Starting today, after the user likes the page and enters the contest, the share dialog which presented itself stopped working and gave:
API Error Code: 191
API Error Description: The specified URL is not owned by the application
Error Message: redirect_uri is not owned by the application.
when logged in as an admin and just an error occurred for other users. This tab has been running well for a while now. I have confirmed it with an associate of mine. They did make a change to another part of the app (yesterday and today) but the sharing was still working until this afternoon. They did not change the part that generates the dialog.
The tab is: https://www.facebook.com/MedjoolDates/app_355398587864294
Anyone have any insight? Feel free to use 'cancel' rather than sharing and fake data to sign up, then unlike the page if you wish.
Thanks in advance.
David
Same problem here, there is a bug posted on Facebook Developes here:
https://developers.facebook.com/bugs/273845842724431
Can't help much without seeing your code.
One thing to check, make sure your redirection_uri is exactly as your domain registered with FB and that you include a trailing / ie http://www.myurl.com/ rather than http://www.myurl.com
I can't answer why it changed, but I had that error fixed by the above change before.
I am having the same issue. Am developing a new app with FB.ui feed functionality, which worked OK yesterday and today it gives the same error as OP.
Went back and checked an > 1 year old app with the same functionality; same error. I cannot see any other solution, than the FB dev team has changed something and not given notice.
I have since two days trouble with a normal login/oauth(orization) via a facebook application.
It behaves as like the app never left Sandbox Mode (which is disabled):
Login Fails for (alot/some/not all) normal users however there's no problem for the page admins, developers etc. to authorize.
There's an error at the oauth page of facebook, not very helpful:
"An error occurred. Please try again later."
I made a stupid test app, that really does not much:
The app at facebook:
http://apps.facebook.com/mygeneraltesting/
The URL of the iframe (no https there): (I'm restricted to two urls in one post, so see it as a comment)
The minimal possible (IMHO) URL to the Oauth dialog:
(I'm restricted to two urls in one post, so see it as a comment)
It really seems like the error is caused by facebook, but it is hard to find someone else with this problem online. So I'd like to ask:
Is anyone else seeing the error message from above?
Is anybody out there with the same problems on their app?
If you like to make a code review, (see: http://graphicore.de/downloads/generaltesting.tar.gz ) is there anything suspicious?
Thanks alot, Lasse
(the German errror message for search the engines: "Es ist ein Fehler aufgetreten. Bitte versuche es später noch einmal.")
This question is very dated now. The answer is: Facebook made something wrong. The same code worked on another app created some time later (I don't even remember how much later) but never worked on that app, AFAIK. So it was just a broken app on facebook side.
I'm implementing the facebook Comments plugin on my site. Users get the warning "Show all content" in IE9
This other publisher using the same plugin and it does not bring up the warning.
Can some please help me with this?
Asking users to turn of the mixed content warning in their IE9 is not an option.
We were just looking at this today and our workaround for now was to include the Facebook Library over https (even when the page itself is viewed over http). Although not ideal it gets rid of the mixed content warnings in IE9 until they have fixed their bug.
That seems to be how it was accomplished at www.vg.no linked in the original question, the library is linked via https.
From their code:
<script src="https://connect.facebook.net/nb_NO/all.js"></script>
I have the same problem:
I have a page that's 100% http. But, the facebook javascript (which I call over http), is returning assets (.js, images) over https, which is generating security warnings for IE(9) users.
I have figured out it's the comment widget from Facebook (
Here's an example of a live page on http: with the error:
http://app.gophoto.com/p?id=10173&rkey=CD01891B287792415384&s=1&a=6940
Here's one of the assets that Facebook returns over HTTPS
https://s-static.ak.facebook.com/rsrc.php/v1/y8/r/7Htnnss1mJY.js
(I'm unable to comment (for some reason?) on Joel's answer. But, his suggestion to fetch the initial all.js over https on http sites does not actually work. I've tried it, and it also inherently looks incorrect since even the initial js fetch violates the mixing up of http & https content.)