Site URL has been been identified as malicious and/or abusive - facebook

This question has been around but my scenario is pretty tricky. I'm in the half-way of developing and launching a pretty large Facebook application (website) in Google App Engine and brought my own custom domain to point to the app id.
In the Facebook apps panel I registered :
1 application for the custom domain
1 application for the subdomain given by google app engine
Few days I've been testing the application through the custom domain. I forgot to change the redirect URL in my authentication URL, its value was still left as the subdomain URL given by app engine. So, the login process used to start from my custom domain and reach the subdomain in the address bar.
Facebook has been showing notifications that the custom domain is pretending to be a website that it is not and asked my testers to reset their Facebook password. I didn't promote that URL any longer. We continued testing OK with the subdomain URL.
Now in the Facebook apps dashboard. I can't make any configuration changes in my custom domain configurations. Its showing
Error
App Domains: li__ke__2__marry.c__om (without __) is not a valid domain.
Site URL has been been identified as malicious and/or abusive.
It's basically a misunderstanding, the Facebook algorithm must have assumed that my custom domain must be doing something malicious after tracking its activity. Actually, it is not, and I'm not blaming Facebook algorithm for this mishap.
My question is : How to apply to have this negative rating removed? Facebook is a very reputed product, and I hope they follow the most basic principle : every in should be made with an out. If they have a feature to blacklist I'm hoping to get a place where I can file a False Detection/Re-Classify Requests. It hasn't cheated anybody and all the few people that used it were my friends and to my laziness I was not testing it in sandbox mode nor did I register/configure any of them as application testers! But that doesn't mean my URL is malicious.
A similar request in the bug report feature of Facebook was rejected marking that it should be put in the Stack Overflow community and even in the Stack Overflow community, I found someone authoritative closing a similar question asking them to post it in the bugs section of Facebook. This link from the community for the exact problem forwards the user to Stack Overflow itself.

Here is a form for appealing blocked content (in your case URL). However there are very few chances of getting unblocked your URL but still you may try this form and hoping to get reply from Facebook. In any case if your URL is unblocked there is a high probability that your future users will see a captcha when visiting your app from mobile devices. So I can recommend to change the URL and continue developing with other URL.

Related

Example of an OAuth Homepage for Google

I have created a flutter application in both iOS and Android that uses OAuth2. In order to authenticate the the app. While I can sign in successfully on iOS, Android provides error the following error:
E/flutter ( 6309): [ERROR:flutter/lib/ui/ui_dart_state.cc(157)] Unhandled Exception: PlatformException(sign_in_failed, com.google.android.gms.common.api.ApiException: 10: , null)
This is almost certainly because of a configuration issue in my OAuth verification request. Their rejection (see below) describes a homepage they require:
Dear Developer,
Thank you for submitting an OAuth App Verification request.
Unfortunately, we cannot proceed further with the verification process
until the requested things are provided.
As we discussed in our previous communication, to proceed with the
verification process for your project what-happend-here you will need
to provide a homepage that accurately represents your app’s identity
to Google users.
Every OAuth2 project requires a homepage. To ensure users’
understanding of your app’s purpose, your homepage should:
Be a verified domain under your ownership
Be accurate, inclusive, and easily accessible to all users
Link to an externally accessible domain that describes the necessary content, context, or connection to the app you are submitting
Explain with transparency the purpose for which your application requests user data
etc.
However, despite the description, I've no feel of what it should be like. Is there an example of such a page that I can use as a model?
Thanks for any help.
I've been back and forth with google over this issue. I can't give a simple answer, but I can summarize the items I've changed in order to meet compliance.
For context, I'm just using oauth on my personal webpage to identify users. I'm not selling an app. I'm not using restricted scopes. I'm not touching any user data.
This should be the simplest case, yet it was difficult to get approval. Each rejection reply is in the style of a form letter. I conclude that an AI has be trained against a set of compliant pages, and it "feels" mine isn't compliant, i.e. it's not able to point to a specific violation like a human or a rule's based system would. For this reason, I advise against spending time in your email replies. It doesn't seem that anyone reads them, just change your content and reply to get the AI to look again.
In the google console you must provide:
a homepage url
a privacy policy url
an uploaded icon image file
If you're using oauth for a website, don't confuse the oauth console "homepage url" with the base url of your website. Google wants a "homepage" that says "what your app is".
The content served at the homepage must have a [link rel="shortcut icon"] whose href points to the identical bytes of the icon you uploaded in the oauth console. If the bytes differ because you're using a scaled or differently styled image, you'll be rejected.
The content served at the homepage must have a privacy policy link where the href is identical to the characters entered at the console. If they're the same page, but differ by an anchor for example, you'll be rejected.
Also watch for caching. I changed the contents of my [link rel="shortcut icon"/] and got a reply that seemed to accept the icon but complain about another issue. Then when I fixed the other issue they rejected me for the icon again. I think since I changed the uploaded icon but didn't change it's name that they later saw a cached icon. I changed just the url (thus invalidating their cache) and the next reply didn't complain about the icon.
If you're not using restricted scopes you shouldn't need the limited use disclosure, but I got a complaint about that so I added it.
Here's what I'm using for both the homepage and the privacy policy:
https://holtstrom.com/michael/about/
Here's how that looked at the time of this posting when it was finally approved.
You'll see that I have all of the google requirements rendered in underline followed by the text that satisfies the requirement.
In case it helps, here's the replies I received from Google:
Google OAuth Consent Screen Verification:
#Michael Holtstrom's answer works perfectly, And I got my app approved in just the 2nd attempt.
But, since there is no information available anywhere on internet regarding this, that's why
I am posting my answer with all the screenshots, only to support #Michael Holtstrom's answer, so that you can move ahead with more confidence.
Because, I was really worried for 3-4 days whether my app will get approved or not. Because this was the last part left in my project.
I was also using Google OAuth only to get email, name and profile picture.
My app could have got approved in the first attempt only, but the first time I submited homepage had text selection disabled(Because I built it using Flutter Web, on which text selection is disbaled by default).
So, I think the Google's AI was unable to read the text on homepage, and thus asked me to update the homepage.
Next time, I built using wordpress, and then my app got approved.
(And by the way, I'm using chrome extension dark reader, that's why all the screenshot has dark mode enabled.)
Youtube Video Url:
https://youtu.be/lzq9WjCXT6c
Consent screen form on GCP Console
Google OAuth Homepage
https://www.madhavkumar.in/about/
Privacy Policy
https://www.madhavkumar.in/privacy-policy/
Email thread with Google Trust Team

New facebook image requirements and third party plugins

We have been trying to get facebook approval for the use of an existing, already approved (with other people using it) third party extension for magento 2 that helps a user design photo albums. We would like to enable our customers to have access to their facebook photos when designing photo albums.
The initial app review was submitted at about the time facebook started making all of it's changes and thus sat idle for three months as they changed some of their internal policies and handled the subsequent backlog. It was even cancelled at one point requiring us to re-submit it.
Most recently, it finally received a review and was rejected because facebook confused the photo behavior with the login behavior.
I'm not trying to re-submit the review request with more details to show that it's a different piece of software performing a different function from the login-with-facebook but now (unlike the first time) I'm getting an error when using one of the test accounts:
Can't Load URL: The domain of this URL isn't included in the app's domains. To
be able to load this URL, add all domains and subdomains of your app to the App
Domains field in your app settings.
This error didn't appear when I created the 'experience' video 3 1/2 months ago so presumably it's something new from facebook's end as the settings in the app haven't changed. I can only guess as to the cause, but the third party app uses an end-point that is not on our domain but is instead one of their domains for their designer hub which actually handles the album design. The plugin is the MediaClip album designer and the end point is on photos.mediacliphub.com
But the facebook app settings won't allow me to add photos.mediacliphub.com to the App Domains saying:
App domains must match the domain of the Facebook
Web Games URL (https), Mobile Site URL, Unity Binary
URL, Site URL or Secure Page Tab URL. Please correct
these domains: photos.mediacliphub.com
Of course since we are the only one of their customers sitting in the middle of a review process at the moment, I'm having a hard time convincing mediaclip that it is a problem with the urls/changes-at-facebook. (especially since I am not entirely sure of that myself)
Facebook, meanwhile has closed itself off from the world in regard to any means to contact support with an actual specific question or inquiry. I've tried joining the Facebook Developers group on facebook and posing the question but so far it hasn't received a single reply or comment.
If anyone knows what might be going on or has any suggestions, it would be greatly appreciated for as of this point, I can't even re-submit the review request if I'm receiving errors in the experience as it will just get rejected.

facebook app not working on mobiles

I have a Facebook app (canvas app), let's say https://apps.facebook.com/test, that redirects and works as expected on the desktop (on all browsers that I have tested).
On mobile phones (both from the FB app and the browser) the path gets redirected to https://m.facebook.com/apps/test/?ref=web_canvas, which gives a "This page cannot be found" error. Why?
This has been reported as a bug to Facebook and Facebook has confirmed it as a bug. They have not provided a date on when the fix will be ready.
You can follow the status of the bug here:
https://developers.facebook.com/bugs/1051463851558493/
Update: Facebook have (since the information struck-out below) completely removed support for this. The thread about this is here:
https://developers.facebook.com/bugs/1051463851558493/
The top-level information is:
We have now deprecated Mobile Canvas URL. This means that you will no
longer be able to direct to a website/app directly within the Facebook
mobile web based upon the external destination URL you have specified
in the 'Mobile Site URL' field for the app on developers.facebook.com.
Furthermore, we have removed the 'Mobile Site URL' field from the app
setup going forward. This deprecation also applies to apps that were
previously whitelisted.
So it's time to move away from this functionality, and either integrate the newer FB Instant Games functionality or just link to an external website as having your canvas app hosted inside the FB mobile app simply isn't possible as it was in years gone by.
Facebook has disabled mobile URLs working by default:
We recently identified a handful of apps misusing our mobile App Center to redirect people to unauthorized sites. As a precaution, we have temporarily turned off the ability for developers to direct to a destination URL for any app in the "Mobile Site URL" field on the dev site.
Now if you wish for this functionality to work, you need to be logged into Facebook and then go to the following URL:
https://www.facebook.com/help/contact/588209321338256
This URL will effectively put your request in a queue, for someone at Facebook to manually verify your app configuration isn't malicious, and then enable the redirection. I do not like posting this answer, as I know it will eventually become invalid, but as of today it is the only answer. As stated by Scott, you can follow progress on this issue here:
https://developers.facebook.com/bugs/1051463851558493/
Please ignore the fact it claims the issue has been 'Fixed' as Facebook count the above workaround as a fix. If you read through the comments on the bug you can note the waiting time to get the URL fixed (on a per app basis) is typically several weeks.
On May 28th, 2017, Facebook confirmed that the Mobile Canvas URL has now been deprecated. Any apps already using (and white listed) will stop working, and no new apps will be accepted.
Hi everyone,
First, please accept my sincere apologies for the delay in getting
back to you with an update on the status of Mobile Canvas URL. I
understand your frustrations, particularly if you submitted your
details via the form and were waiting on a response.
We have now deprecated Mobile Canvas URL. This means that you will no
longer be able to direct to a website/app directly within the Facebook
mobile web based upon the external destination URL you have specified
in the 'Mobile Site URL' field for the app on developers.facebook.com.
Furthermore, we have removed the 'Mobile Site URL' field from the app
setup going forward. This deprecation also applies to apps that were
previously whitelisted.
The Mobile Canvas URL feature is a vestige of a long ago deprecated
product called Mobile Canvas. Facebook maintains a high commitment to
quality, so we don't want to leave unsupported products active —
especially when they continue to cause bugs for our developers. Going
forward, we're recommending you take advantage of the well-supported
Facebook Games on Web product to drive traffic to your app.
We've also introduced Instant Games which lets people play mobile
games within Messenger and Facebook News Feed. We invite you to sign
up for our closed beta program. We believe letting people play games
together on Facebook is a powerful experience for both players and
developers.
If your app is still set up to rely on Mobile Canvas URL
functionality, we recommend taking the following actions:
If you're using Mobile Canvas to link to a page on mobile web, you need to update your app to handle the redirection in the desktop
iframe. User interaction is required to redirect away from web canvas
as our Platform Policy does not allow automated redirects from canvas.
If your app was previously whitelisted, you will need to take action as this deprecation supersedes any workarounds you have in place.
Thank you for your understanding as we continually improve the
products and services we offer to both developers and players. Again,
please accept my apologies for the wait in getting back to you with
this information
Best regards,
Tim
See this thread https://developers.facebook.com/bugs/1051463851558493/

What parameters are allowed in Desktop web game policy change?

We have a browser based game which uses Facebook Connect through an AppID that we used to run the same game in a canvas until Fb Credits were introduced and we were forced to shut it down. Now, we only use the App the same way as a product page with the FbConnect integration on our own site.
Today's mail states for our case:
If your Connect app is accessing user connections or asking for additional permissions beyond age, email, and our Publishing Permissions, please remove these requests.
(This refers to this policy change: https://developers.facebook.com/blog/post/2012/09/05/platform-updates--operation-developer-love/)
We are using oauth FbConnect with scope=email,user_birthday. This is exactly what was specified in an earlier mail so it should be ok.
Once the user is authenticated, we simply call
https://graph.facebook.com/me?access_token=...
and read what comes there.
Is it possible, that we are not allowed to call the GraphAPI's me anymore? It contains info like gender, location and locale...
The Oauth data contains the fbuid, first/lastname and the email, but it does not contain the age, what we are supposed to be allowed to ask?
Do I have to call https://graph.facebook.com/me?fields=birthday explicitly?
Did anyone actually succeed in getting an "desktop web game hosted primarily off Facebook" to comply with their new policy without creating a new AppID?
Note: There have been a couple of questions about the "Sep 5th policy change" like Facebook: Notice of Violation this one and many previous closed as duplicates, but none I found so far contains questions or answers on a technical level.
Maybe you could skip the "Website with Facebook Login" part in developer settings and only provide your game directly via canvas. (eg. apps.facebook.com/logogame). that's what "on facebook.com" is all about, I guess.

What’s the correct/best approach to have multiple unrelated App Domains associated to a Facebook application?

I have an application hosted on Azure and accessed through a web page. Authentication to the application is handled by signing in through Facebook. The application is not a Facebook canvas application, though it can share some activity to a user's Facebook stream.
I have two URLs to access my service; one http://projectgreenwich.cloudapp.net/ points to the site in the cloud (on Azure) while the other http://projectgreenwich.research.microsoft.com relies on DNS to give the application a more official looking URL. My problem is that in the Facebook application set-up (http://developers.facebook.com/apps/) I can only give one "App Domain" for the Facebook authentication to pass back to. I can fork from that domain, e.g. having projectgreenwich.cloudapp.net, projectgreenwichlocal.cloudapp.net, projectgreenwichtest.cloudapp.net, etc. But if I try to add a different domain (e.g. projectgreenwich.research.microsoft.com) I get an error when I save the Facebook app settings.
My solution has been to add http://projectgreenwich.research.microsoft.com as what Facebook term the "Mobile Web URL" for the app. This fixes my immediate problem (authentication on Facebook from http://projectgreenwich.research.microsoft.com works) but it leaves me uncomfortable about two things:
It's a hack. The http://projectgreenwich.research.microsoft.com URL is no more a "Mobile Web URL" than the http://projectgreenwich.cloudapp.net/ is.
If I add other DNS entries resolving to http://projectgreenwich.cloudapp.net/ there's no further place to add them.
There are a couple of related answers on Stack Overflow that suggest this is not possible and that Facebook’s blog-post to the contrary is misleadingly worded, but I’m hoping things have changed:
Zachary Kestenbaum's answer to ginja's question "Is it possible to configure a Facebook app to be used across multiple domains?" here: https://stackoverflow.com/a/7722584/575530
Ross' answer to Winaji's question "Facebook Connect for one application with multiple domains?" here: https://stackoverflow.com/a/4449914/575530
What’s the correct/best approach to have multiple unrelated App Domains associated to a Facebook application?