When facebook application use Secure Canvas? - facebook

I have a Facebook application, and my host have selfsigned certificate. Usually thats not a problem, because my browsers used Canvas URL (with http), and everything worked fine. But some other browsers requires Secure Canvas URL (with https), and throw an exception if Secure Canvas URL is empty, or if my host has incorrect certificate.
So how the browser/Facebook decides when to use Canvas URL, and when Secure Canvas URL? Can I make them use Canvas URL only, without https?

If I'm correct applications have a setting like "October 2011" or something (I'll try to verify that for you). Maybe if you disable that one you can use http. The idea behind this implementation was to put every new applications on https.
Now I can understand for development purposes you want to try without https. Not every browser acts the same way with self-signed certificates (Chrome <-> FF).
In a business environment I strongly suggest you have a valid certificate.
EDIT : possible duplicate of your question http://facebook.stackoverflow.com/questions/7308348/facebook-canvas-apps-https-and-http
EDIT 2 : Apps on Facebook Authentication and Security Migration (HTTPS)
All Canvas and Page tab apps must convert to process signed_request (fb_sig will be removed) and obtain an SSL certificate for use in "Secure Canvas URL" and "Secure Page Tab URL" (unless you are in Sandbox mode). You must provide an SSL certificate in the Dev App settings to avoid having your app disabled.
So ... are you in sandbox mode?

Related

App on Facebook secure canvas URL not loading

The site that I am embedding for my app on Facebook is SSL enabled and hitting the https page on a normal browser brings up the site as expected. For now, my SSL certs are self-signed.
However, when I try to run the app on Facebook, it fails to load the page. There are no errors except the image below. Mouseover on the icon shows a "NULL":
So my question is, does this have to do with the fact that my SSL certs are self-signed? Or is there some other reason for this?
Also, I am not able to check if the non-secure page (http) works on the app as Facebook does not allow me to switch off my secure browsing mode.
After obtaining commercial SSL certs, it now works. So I guess any SSL certs that result in a browser prompt asking the user to continue would not work in an embedded canvas on Facebook.

Facebook iFrame tab

I have read that Facebook requires that iframe pages uses secure connections (SSL).
But I am now setting up my first app and there are two fields, one "Canvas URL" and another for "Secure Canvas URL".
Has the Facebook policy changed? Is it possible to use an iframe with an non-secure canvas url?
Secure canvas urls are not required in these scenarios:
The app is in sandbox mode and you are a developer or someone who can view the app in sandbox mode.
The app is public
and the user of your application has not enabled secure browsing on
their Facebook account.
If your app is live (not in sandbox mode) and you want ANYONE to use your app, the you will need to get an SSL certificate for your server and add the secure URL to your app's settings
Here is a blog post from Facebook about the change they made in October 2011 http://developers.facebook.com/blog/post/2011/09/09/platform-updates--operation-developer-love/
Sorry in advance for my bad english:
Fb policy has changed a lot in the last period.
Actually you NEED absolutly 2 canvas urls:
"standard" canvas (simply, link the host where the app/program is
stored)
secure canvas (you need to buy a facebook certificate for your host where app is stored)
Basically the app works if you have and also if you don't have a SSL certificate, but people who have setted a strong app privacy on their fb accounts, aren't able to see your app
(browser displays an error message: "this website is not secure bla bla, ecc")
Yes, you need a SSL certificate, but you can get 1 free cert in startssl.com.

Are FBML apps required to provide HTTPS canvas url by 1st of October?

Since FBML apps canvas url(s) are not directly accessible by the end user, I suppose not , but can anyone confirm this ?
Confirm: "An SSL Certificate is required for all Canvas and Page Tab apps (not in Sandbox mode and not FBML)." See here: http://developers.facebook.com/docs/oauth2-https-migration/
Though I am currently getting mixed content warnings in IE and Firefox when using Facebook in https mode and then loading content over http in the app. So users of your app might get kinda bad feeling if you do not serve your content over https.
UPDATE:
Facebook:
"We have heard that there is some confusion about whether FBML apps
must support HTTPS. FBML developers still need to know whether users
are browsing Facebook over a secure connection since they need to
detect whether to serve iframe or video content over HTTPS. As a
result, FBML apps must obtain SSL certificates in order to serve this
type of content to users browsing over a secure connection. If you
have an FBML app, please obtain an SSL certificate for your app to
receive traffic from users browsing Facebook over a secure connection.
If you enable SSL for your FBML app, please make sure that your SSL
certificate includes all intermediate certificates in the chain of
trust as our SSL validation is strict. You can use third-party SSL
analysis tools (e.g., https://www.ssllabs.com/index.html) to check
your certificate status and fix any errors (and warnings). If your SSL
certificate has problems, you may see "Empty response received" error
when you load your FBML canvas app."
https://developers.facebook.com/blog/post/567/

debug facebook canvas app after ssl restriction

I have a canvas iframe Facebook app.
I updated the secure canvas URL with https url and it works fine.
since October 1st, it is not allowed to access apps without ssl.
I used to debug my app by creating a duplicate app with localhost as the canvas URL.
Since October 1st (or actually since today...) it is not possible to access it due to the ssl restriction. How can I debug facebook app now??
In your account settings turn off 'Safe browsing' so you will be visiting Facebook without https. Then it does work for me (after turning on Sandbox mode that is).
Turn sandbox on
(source: phpcode.eu)
Apps on Facebook authentication and security migration
All Canvas and Page tab apps must convert to process signed_request (fb_sig will be removed) and obtain an SSL certificate for use in Secure Canvas URL and Secure Page Tab URL (unless you are in Sandbox mode).

facebook page tab not available over ssl

So I created a facebook app using iframes, I'm using it as a tab on a facebook page and it works.
But if I use HTTPS, the tab isnt even there.
Anyone know how to fix this?
thanx
Facebook recently enabled the ability for users to set their accounts to use secure browsing (https / ssl). In your application settings > Facebook integration section you now have 2 fields: Secure Canvas URL & Secure Tab URL which in order for your app to work if a user has enable secure browsing, you will need to fill those in. This also requires that the server you are hosting your app on has a valid and configured SSL certificate.
If you are browsing over HTTPS (which is a something a user can now enable in their FB account settings), then the iframe will need to be pulled in over a secure connection too.
This is a known issue (marked as fixed and resolved - http://bugs.developers.facebook.net/show_bug.cgi?id=15200) and, rather than attempting to simply call the same URL over HTTPS, Facebook now provide a separate field under the integration settings for the URL of a secure version of the iframe. If this does not exist, then the tab will not display over HTTPS.
Sergiogx, make sure you filled both fields Canvas Tab URL and Secure Canvas Tab URL. I'm using free facebook page hosting from http://hostfb.com and they also provide SSL support.