Using localhost to test Facebook canvas app - facebook

I want to create and test an app initially from localhost (were I run Ruby on Rails or Glassfish). I have read many postings about how to do this and NONE work. I have tried all the solutions discussed on stackoverflow and other sites.
Does anyone have a current method that does work (2015)?
Following did not work
1) in Canvas URL http://localhost:3000/users/index/ with and without localhost as domains
2) Tried editing the Advanced tab to add redirect URL to same URL.
What happens is I get a blank screen (I have even tried really simple hello world type apps that run locally so it should work with facebook).
Thank you,
Lynne

you have to configure secure canvas URL for canvas apps . it is mandatory and it has to be a https URL.

edit: This is actually a lot easier than I thought. I found this python script that creates a local https server. The only issue was that facebook is sending a POST request on the canvas page, and this server doesn't support POST requests, so I modified it a bit and now it handles the facebook canvas page correctly.
You don't need a domain, and in the script it tells you how to generate the self signed certificate. In the facebook app settings you can set https://localhost:4443/ as canvas url.
old post:
It is possible but it's a bit of a hassle. You can set a dns to 127.0.0.1 and use that. So if you own example.com, you can create an A DNS record for localhost.example.com and set it to 127.0.0.1.
The difficult part is that you have to find some way to create a certificate for this domain. If you want an official cert, the easiest option out there is Let's Encrypt. Verification of your domain through an https server is going to be difficult, since the Let's Encrypt servers will try to contact 127.0.0.1. So you're probably better of using DNS challenge validation. Another option would be a self signed certificate, which is a whole different story.
The last step is to find a server that can host https and use the certificates you generated.

Related

ATS policy issue when using a redirect url in Swift

I am using this link for example to load the link. Although the link is a http link it will be redirected to a https link. It works in the browser.
However, as soon as I let my iOS Application load the resource it will say "The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.".
I am using this library to load the picture. Is it not supported that Swift loads the https resource? I could think of that ATS blocks the connection to the server so the redirect can't even be received.
I would be very thankful for any thoughts on this.
Christian
While you certainly can disable the entirety of ATS using the solutions provided by Kishan and Johnson, if you know the domain of the http resource you are trying to load, you have better options. For details of why the disabling of ATS entirely is not the best idea, see this post.
Better options are:
If you know the http resource is always going to give you a redirect to the same https:// url, why not simply use the https:// url in your code. This won't work if the redirect is dynamic, but if your code is trying to load http://www.example.com/resource and that always redirects to https://www.example.com/resource, why not just change your code to go to the https version.
Only disable ATS for the domain in where you need to allow non https connections. This allows you to only allow http connections for domains you know don't support https, better protecting your application users.
Your ATS settings in your info.plist wqould look something like this:
If and only if your urls are driven by data that you don't control (i.e. the domains in those urls could be anything), you will need to disable all of ATS, and Apple may eventually want you to provide justification for disabling it. Originally they were going to have all ATS disabled apps go through an additional justification request processs, but they haven't mentioned that recently. This should be a last resort.
Honestly, looking at your example UR
Go to info.plist add a term called App Transport Security Settings.
And under that add Allow Arbitrary Loads

Facebook WebGL Game + Facebook Simple Hosting + CORS. Possible?

Note: Solved - question makes no sense, my understanding of CORS was incorrect and lead me to ask this question.
The answer is simple as pointed out by #CBroe below - CORS needs to be configured on the game server (in the example in this qestion).
I have a Facebook WebGL game that I'm wanting to host using Facebook's simple hosting (https://developers.facebook.com/docs/games/services/contenthosting/).
Is it possible to use Facebook's Simple Hosting for a WebGL game and still contact my web server (mygamedomain.com)? Is there somewhere in the FB app config to specify domains to allow?
Is the only way to get around this to serve the game from mygamedomain.com also?
I'd really like to avoid serving the game from my webserver if possible.
Any ideas or suggestions?
Not doing so will generate an error as expected:
XMLHttpRequest cannot load https://mygamedomin.com/mygame.php. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://apps-1287636812638.apps.fbsbx.com' is therefore not allowed access.
Just to be clear as there seems to be some confusion:
Game is hosted by facebook using their "Simple Hosting" service, not on my own server, .
I know CORS is the solution - the question is - does Facebook allow/support this? If so where do I configure the domains to allow.
If this was on my own server I the answer is trivial - CORS. But it's not.
There are hacks to circumvent cross-origin restrictions - I'm not looking for these. There's plenty of resources already covering these.
Edit: changed the title to more accurately reflect my question.
CORS is the solution to your problem here.
This question/the answer is not Facebook specific - the issue would be the same with any other domain serving your content, that is different from your own.
Your client-side code is hosted under the Facebook domain, and tries to make a request to your domain - that is the cross-domain part. Your domain is the party that holds the power to either allow or deny this request - by default, it would be denied, but by responding with the appropriate header, your server can signal to the browser, "yes, that's ok, he [your code running under facebook.com] is one of the good guys ..."
So you need to configure this on your server, that you want to make the request to.

How to use Facebook for Developers share button using localhost

I'm trying to have a Facebook share button which shares the link of the current page. I am using localhost and Facebook is unable to reach my website since I'm using localhost (xampp). Is there any way to get around this? I have seen people mention about using tunnelme, but I don't see a tutorial on how to do it. Any guidance would be appreciated.
My technique to deal with this kind of issue is define some fake domain in /etc/hosts (Linux o MacOS) or C:\Windows\System32\drivers\etc\hosts in Windows.
something like:
127.0.0.1 customdomain.liquidtabs
(Do not use .devel because now is a valid TLD and cause some collisions).
In the last time, I'm using a local DNS server (like dnsmasq) to define multiple custom local fake domains.
Finally, in your Facebook app configuration, you must add your fake domain as an allowed domain to access the API.
In the last time, Google Developers Console requires a valid domain (for example, finished in .com, like mycustomfakedomain.com). I do not remember if Facebook too.
In this case, you must define a "valid" domain and override it in the hosts file. Like:
127.0.0.1 customdomain.local.liquidtabs.com
Now, run your website using your fake domain. You should now be able to access Facebook from the library (or Google or any other domain-restricted library) from "localhost".

If a https domain is redirecting to a http domain. Is there any point in having it?

I looked around the internet to see if there was a clear answer to this, but it looks like there isn't. So, I work for a small company and one of the domains we have, has the SSL certification with it (https://hmc2agency.com); however, it redirects to the new "brand image" (http://www.wearehmc.com). I'm trying to figure out if we should even keep the certification, since it'll be expiring soon.
It's not like we sell things, or need the encryption stream (a term I could be pulling out of no where); however, we do host a few Facebook page tabs (I was told, that they need https domains) on the site. But, they don't use the HTTPS URL for "app."
Ehh I don't know, I just like to code, I'm no network administrator.
There is no difference except for the fact that you have encryption on that Domain.
The DNS servers have knowledge that https://hmc2agency.com has a SSL cert and therefore will do everything in its power to maintain the cert and domain but once you redirected the domain to another domain the cert losses its 'power'.
In this case nothing really happens. Its a simple 302 redirect...you should change this to a 301 redirect for SEO purposes.
This is a good article for how HTTPs works.

What exactly am I supposed to do for OAuth 2.0 and https update?

I am a php developer. I created an application using fbml(non iframe) and didn't check roadmap regularly.
Today I received an email saying update to OAuth 2.0 and HTTPS by October 1st or the apps may be disabled.
I went through the documentation but could not get what exactly I am supposed to do.
From what I understood.
for https
we need to enable or buy ssl for our site and make https://example.com/facebookapps_folder/ accessible and fill the new url in Secure Canvas URL
Is that right?
I am confused about OAuth 2.0.For this do we need to change the whole code and libraries we are referring to.
Where can I get how do I change it.
I see some php examples but could not find clue what needs to be changed?
I think it is way authentication is being done, but I do I do that.
If I fail to do it immediately(as only 3 days left) is that any way I can save my application being disabled?
Make sure you have implemented Oauth2.0 for authentication .. Also you will need an SSL certificate for your app to support https:// protocol