New facebook image requirements and third party plugins - facebook

We have been trying to get facebook approval for the use of an existing, already approved (with other people using it) third party extension for magento 2 that helps a user design photo albums. We would like to enable our customers to have access to their facebook photos when designing photo albums.
The initial app review was submitted at about the time facebook started making all of it's changes and thus sat idle for three months as they changed some of their internal policies and handled the subsequent backlog. It was even cancelled at one point requiring us to re-submit it.
Most recently, it finally received a review and was rejected because facebook confused the photo behavior with the login behavior.
I'm not trying to re-submit the review request with more details to show that it's a different piece of software performing a different function from the login-with-facebook but now (unlike the first time) I'm getting an error when using one of the test accounts:
Can't Load URL: The domain of this URL isn't included in the app's domains. To
be able to load this URL, add all domains and subdomains of your app to the App
Domains field in your app settings.
This error didn't appear when I created the 'experience' video 3 1/2 months ago so presumably it's something new from facebook's end as the settings in the app haven't changed. I can only guess as to the cause, but the third party app uses an end-point that is not on our domain but is instead one of their domains for their designer hub which actually handles the album design. The plugin is the MediaClip album designer and the end point is on photos.mediacliphub.com
But the facebook app settings won't allow me to add photos.mediacliphub.com to the App Domains saying:
App domains must match the domain of the Facebook
Web Games URL (https), Mobile Site URL, Unity Binary
URL, Site URL or Secure Page Tab URL. Please correct
these domains: photos.mediacliphub.com
Of course since we are the only one of their customers sitting in the middle of a review process at the moment, I'm having a hard time convincing mediaclip that it is a problem with the urls/changes-at-facebook. (especially since I am not entirely sure of that myself)
Facebook, meanwhile has closed itself off from the world in regard to any means to contact support with an actual specific question or inquiry. I've tried joining the Facebook Developers group on facebook and posing the question but so far it hasn't received a single reply or comment.
If anyone knows what might be going on or has any suggestions, it would be greatly appreciated for as of this point, I can't even re-submit the review request if I'm receiving errors in the experience as it will just get rejected.

Related

facebook app not working on mobiles

I have a Facebook app (canvas app), let's say https://apps.facebook.com/test, that redirects and works as expected on the desktop (on all browsers that I have tested).
On mobile phones (both from the FB app and the browser) the path gets redirected to https://m.facebook.com/apps/test/?ref=web_canvas, which gives a "This page cannot be found" error. Why?
This has been reported as a bug to Facebook and Facebook has confirmed it as a bug. They have not provided a date on when the fix will be ready.
You can follow the status of the bug here:
https://developers.facebook.com/bugs/1051463851558493/
Update: Facebook have (since the information struck-out below) completely removed support for this. The thread about this is here:
https://developers.facebook.com/bugs/1051463851558493/
The top-level information is:
We have now deprecated Mobile Canvas URL. This means that you will no
longer be able to direct to a website/app directly within the Facebook
mobile web based upon the external destination URL you have specified
in the 'Mobile Site URL' field for the app on developers.facebook.com.
Furthermore, we have removed the 'Mobile Site URL' field from the app
setup going forward. This deprecation also applies to apps that were
previously whitelisted.
So it's time to move away from this functionality, and either integrate the newer FB Instant Games functionality or just link to an external website as having your canvas app hosted inside the FB mobile app simply isn't possible as it was in years gone by.
Facebook has disabled mobile URLs working by default:
We recently identified a handful of apps misusing our mobile App Center to redirect people to unauthorized sites. As a precaution, we have temporarily turned off the ability for developers to direct to a destination URL for any app in the "Mobile Site URL" field on the dev site.
Now if you wish for this functionality to work, you need to be logged into Facebook and then go to the following URL:
https://www.facebook.com/help/contact/588209321338256
This URL will effectively put your request in a queue, for someone at Facebook to manually verify your app configuration isn't malicious, and then enable the redirection. I do not like posting this answer, as I know it will eventually become invalid, but as of today it is the only answer. As stated by Scott, you can follow progress on this issue here:
https://developers.facebook.com/bugs/1051463851558493/
Please ignore the fact it claims the issue has been 'Fixed' as Facebook count the above workaround as a fix. If you read through the comments on the bug you can note the waiting time to get the URL fixed (on a per app basis) is typically several weeks.
On May 28th, 2017, Facebook confirmed that the Mobile Canvas URL has now been deprecated. Any apps already using (and white listed) will stop working, and no new apps will be accepted.
Hi everyone,
First, please accept my sincere apologies for the delay in getting
back to you with an update on the status of Mobile Canvas URL. I
understand your frustrations, particularly if you submitted your
details via the form and were waiting on a response.
We have now deprecated Mobile Canvas URL. This means that you will no
longer be able to direct to a website/app directly within the Facebook
mobile web based upon the external destination URL you have specified
in the 'Mobile Site URL' field for the app on developers.facebook.com.
Furthermore, we have removed the 'Mobile Site URL' field from the app
setup going forward. This deprecation also applies to apps that were
previously whitelisted.
The Mobile Canvas URL feature is a vestige of a long ago deprecated
product called Mobile Canvas. Facebook maintains a high commitment to
quality, so we don't want to leave unsupported products active —
especially when they continue to cause bugs for our developers. Going
forward, we're recommending you take advantage of the well-supported
Facebook Games on Web product to drive traffic to your app.
We've also introduced Instant Games which lets people play mobile
games within Messenger and Facebook News Feed. We invite you to sign
up for our closed beta program. We believe letting people play games
together on Facebook is a powerful experience for both players and
developers.
If your app is still set up to rely on Mobile Canvas URL
functionality, we recommend taking the following actions:
If you're using Mobile Canvas to link to a page on mobile web, you need to update your app to handle the redirection in the desktop
iframe. User interaction is required to redirect away from web canvas
as our Platform Policy does not allow automated redirects from canvas.
If your app was previously whitelisted, you will need to take action as this deprecation supersedes any workarounds you have in place.
Thank you for your understanding as we continually improve the
products and services we offer to both developers and players. Again,
please accept my apologies for the wait in getting back to you with
this information
Best regards,
Tim
See this thread https://developers.facebook.com/bugs/1051463851558493/

Facebook connect service for my customers without appid

I have more than few clients that would like to add facebook connect to their landing pages (managed by me). They are too many and not enough tech-savvy to manually create ad appid for each of them.
So my only solution is to usa my own appid to add facebook connect to all my clients websites, but as far as I know, Facebook doesn't allow to simply use the same appid on any domain.
How can I solve this? I can't find any documentation to solve my issue. Does anyone have a direction for me?
This has been discussed a couple o’ times before already – but I mostly commented on earlier questions, so let me write the whole thing up as a proper answer, for future reference.
[paraphrased] Multiple-client Facebook login via one single app id
Does anyone have a direction for me?
You probably rather don’t want to do that.
It is not really possible to run one simple app one multiple different domains.
As a workaround for only a few domains, people used to specify different domains for the different platforms – Website, Page Tab or Canvas App, plus Mobile alternative for Canvas – without actually using any of those platforms besides Website, which made the app usable on multiple domains as a website app. But since Facebook introduced their login/permission review process¹, you can’t do that any more – they expect you to present actual functionality on all platforms you have configured in your app.
You can kind-off use one single app for login on multiple domains – if you are willing to use only the server-side login flow, and to redirect users to one “main” domain (that gets specified as the app domain in the app settings) to login, and then from there back to the origin domain.
But this has several drawbacks:
It’s not what you’d call a “white label” solution. If your clients expect it to look as if users where logging in via “their” app, it should stay on their domain. Individual branding, in regard to stuff such as app name, app logo that shows in the login dialog, etc., would also not be possible. Additionally, app attribution – the link that shows up under content shared/posted via the app – would only link users back to the main domain, and not to your customer’s.
You would not be able to use the JS SDK for client-side API requests, or even just to embed it to render any of the FB social plugins that require an app id – the SDK checks what domain it is “running on”, and can not be tricked to accept a domain that is not specified in the app settings.
There could be privacy issues. An over-exaggerated example: Just because I as the app user decided to share my photos or videos I have on Facebook with your customer Our-Holy-Mother-of-Christ-Bakery.com, does not necessarily mean I want to share them with your other customer, amateurs-doing-all-kinds-of-nasty-stuff.xxx as well – but if they shared an app id for login purposes, I automatically would. Have fun writin’ the Privacy Policy (which is mandatory if you use FB login functionality, and FB also automatically checks if your app has got one) for that scenario ;-)
Finally, and most importantly: All your customers would be “sitting in the same boat.” If one of them, or in turn their website users, would publish spam via your app id, so that Facebook blocks it, login would not work any more for all of your customer’s websites. And if you decide only then, that setting up an individual app for each of your customers would be the better way to go, they would not be able to recognize their existing users any more, because of user ids being app-scoped since API v2.0 was introduced – so if users logged into this new app, that app would see a totally different user id. (And to rely on an email address as an identifier is risky, too, because you will not get one from the API for every user; for example if they registered using their mobile device.)
Edit: Plus, app/domain insights, as luschn mentioned in his answer.
¹ Yes, the review process has made it more laborious to set up multiple apps for multiple clients. But for apps that do the same stuff/use the same permissions in the same manner, you can refer to an earlier successfully reviewed app id to speed up the process a little. Also, screenshots of how f.e. posts made via the app look on timeline, and what UI components are used, as well as screencasts that you include in your submission could probably be used with little to no alteration.
Apps are not meant be used on several different domains, you will have to create a new App for each domain, i´m afraid. You can use the different platforms in the App settings to use different domains, but there are only a few so it´s pointless. Just create some screenshots and a tutorial for your clients, that´s how it is usually done.
Btw, it would be weird to authorize an App on a website, and the same App would allow you to be authorized on all other client websites. Also, insights are per App, so your clients may want to see their own insights and not the global insights of all domains together.
Many is not defined but i think for being a smart developer you need to create new app_ids for every project you need to use facebook connect. Just my opinion. It also allows you to monitor alot of stuff.

Site URL has been been identified as malicious and/or abusive

This question has been around but my scenario is pretty tricky. I'm in the half-way of developing and launching a pretty large Facebook application (website) in Google App Engine and brought my own custom domain to point to the app id.
In the Facebook apps panel I registered :
1 application for the custom domain
1 application for the subdomain given by google app engine
Few days I've been testing the application through the custom domain. I forgot to change the redirect URL in my authentication URL, its value was still left as the subdomain URL given by app engine. So, the login process used to start from my custom domain and reach the subdomain in the address bar.
Facebook has been showing notifications that the custom domain is pretending to be a website that it is not and asked my testers to reset their Facebook password. I didn't promote that URL any longer. We continued testing OK with the subdomain URL.
Now in the Facebook apps dashboard. I can't make any configuration changes in my custom domain configurations. Its showing
Error
App Domains: li__ke__2__marry.c__om (without __) is not a valid domain.
Site URL has been been identified as malicious and/or abusive.
It's basically a misunderstanding, the Facebook algorithm must have assumed that my custom domain must be doing something malicious after tracking its activity. Actually, it is not, and I'm not blaming Facebook algorithm for this mishap.
My question is : How to apply to have this negative rating removed? Facebook is a very reputed product, and I hope they follow the most basic principle : every in should be made with an out. If they have a feature to blacklist I'm hoping to get a place where I can file a False Detection/Re-Classify Requests. It hasn't cheated anybody and all the few people that used it were my friends and to my laziness I was not testing it in sandbox mode nor did I register/configure any of them as application testers! But that doesn't mean my URL is malicious.
A similar request in the bug report feature of Facebook was rejected marking that it should be put in the Stack Overflow community and even in the Stack Overflow community, I found someone authoritative closing a similar question asking them to post it in the bugs section of Facebook. This link from the community for the exact problem forwards the user to Stack Overflow itself.
Here is a form for appealing blocked content (in your case URL). However there are very few chances of getting unblocked your URL but still you may try this form and hoping to get reply from Facebook. In any case if your URL is unblocked there is a high probability that your future users will see a captcha when visiting your app from mobile devices. So I can recommend to change the URL and continue developing with other URL.

What parameters are allowed in Desktop web game policy change?

We have a browser based game which uses Facebook Connect through an AppID that we used to run the same game in a canvas until Fb Credits were introduced and we were forced to shut it down. Now, we only use the App the same way as a product page with the FbConnect integration on our own site.
Today's mail states for our case:
If your Connect app is accessing user connections or asking for additional permissions beyond age, email, and our Publishing Permissions, please remove these requests.
(This refers to this policy change: https://developers.facebook.com/blog/post/2012/09/05/platform-updates--operation-developer-love/)
We are using oauth FbConnect with scope=email,user_birthday. This is exactly what was specified in an earlier mail so it should be ok.
Once the user is authenticated, we simply call
https://graph.facebook.com/me?access_token=...
and read what comes there.
Is it possible, that we are not allowed to call the GraphAPI's me anymore? It contains info like gender, location and locale...
The Oauth data contains the fbuid, first/lastname and the email, but it does not contain the age, what we are supposed to be allowed to ask?
Do I have to call https://graph.facebook.com/me?fields=birthday explicitly?
Did anyone actually succeed in getting an "desktop web game hosted primarily off Facebook" to comply with their new policy without creating a new AppID?
Note: There have been a couple of questions about the "Sep 5th policy change" like Facebook: Notice of Violation this one and many previous closed as duplicates, but none I found so far contains questions or answers on a technical level.
Maybe you could skip the "Website with Facebook Login" part in developer settings and only provide your game directly via canvas. (eg. apps.facebook.com/logogame). that's what "on facebook.com" is all about, I guess.

I don't understand this email from Facebook about my app [duplicate]

This question already has an answer here:
Closed 10 years ago.
Possible Duplicate:
Dec 5th beaking changes - facebook says app will be effect
I got an email that my app is impacting some new rules. Unfortunately english isn't my native language and I found no possibility to ask the facebook support - I'm not sure if I understood the email correctly. I hope you can help me:
Your desktop web game hosted primarily off Facebook currently
accesses user connections when authenticating and/or requests
additional permissions beyond age, email, and publishing permissions.
This is no longer allowed per Facebook Platform Policy I.13a:
Desktop web games off of Facebook.com may only use Facebook Login
(Authentication, excluding user connections such as friend list),
Social Plugins and publishing (e.g., Feed Dialog, Stream Publish, or
Open Graph). When authenticating, these games may not request
additional permissions other than age, email, and our Publishing
Permissions.
If your app is accessing user connections
(https://developers.facebook.com/docs/reference/api/user/) or asking
for additional permissions beyond age, email, and our Publishing
Permissions, please remove these requests. After December 5th, we will
place restrictions on your app if your app continues to access user
connections or request additional permissions other than
'user_birthday', 'email' or our publishing permissions such as
'publish_actions' or 'publish_stream'.
Do I understand this right, I can ask for following additional permission like email or publishing stream but nothing else?
I changed my login-url from
"scope=email,publish_stream,read_stream,user_games_activity"
to this:
"scope=email,publish_stream"
Is it now okay?
I also use $facebook->api('/'.$FacebookID.'/friends'); to get the list of friends and build a form where the user can send his friends an invitation. Is this not alowed anymore?
• Your Canvas/mobile game currently shares the same app ID with a
desktop web game off Facebook.com, which is no longer allowed per
Facebook Platform Policy I.13b:
(Games on Facebook.com and mobile must not share the same app ID with
desktop web games off of Facebook.com. You must not use Canvas apps to
promote or link to game sites off of Facebook, and must not use emails
obtained from us to promote or link to desktop web games off of
Facebook.com).
Please create a separate app ID for your Facebook Connect integration.
After December 5th, your Connect app will no longer be accessible if
it continues to share an app ID with its Canvas/mobile counterpart.
You have received this message because your app uses a Connect
integration. If you believe this to be an error, please reference the
developer docs to ensure your app is categorized correctly.
This one I don't understand at all. What and where can I do that? My app has a own URL and a canvas page at facebook. Would it be enough to remove the canvas page and only keep the direct URL?
I changed my login-url from "scope=email,publish_stream,read_stream,user_games_activity" to this: "scope=email,publish_stream" Is it now okay?
Yes, it should be ok now because according to the breaking changes "these games may not request additional permissions other than age, email, and our Publishing Permissions." So you should be fine.
I also use $facebook->api('/'.$FacebookID.'/friends'); to get the list of friends and build a form where the user can send his friends an invitation. Is this not alowed anymore?
/friends doesn't require any additional permissions, so I think it should be ok.
What and where can I do that? My app has a own URL and a canvas page at facebook. Would it be enough to remove the canvas page and only keep the direct URL?
Yes, you need to separate your canvas/mobile game from the desktop web game. Currently, they both have the same app ID, you can choose to either remove the canvas page entirely or create a new app for the canvas/mobile game and use that new app ID. Regardless, the end result is that only one of your games can use your exisiting app ID.