Facebook Policy on Running Canvas App Outside iFrame? - facebook

I am currently working on a Facebook app. At the moment it is running in the canvas iFrame. However, ideally I would like it to also be accessible outside of the iFrame as well - much like Branchout is accessible within Facebook and also independent when loaded directly on their website.
According to the Facebook Platform Policies:
The primary purpose of your Canvas or Page Tab app on Facebook must not be to simply redirect users out of the Facebook experience and onto an external site.
Is anyone aware of any additional policies around this?

Related

Facebook App Center Game that doesnt use FB API?

Is it possible to submit my 3D WebGL HTML5 / Facebook Canvas app to the App Center, even though it does not use the Facebook API? It isn't integrated with Facebook in any way, other than, being embedded in..
https://apps.facebook.com/flappy-wheels/
..from a Dropbox-hosted URL, if that even counts as a technical "Facebook integration" - which I doubt, as no API usage or Facebook signup or login required to even play it.
I keep on trying to submit it for App Center review but it insists to think I'm using the FB API when I'm not. Does this mean usage of the FB API is absolutely required for App Center submission? What if I dont want my app logging in to people's Facebook accounts? What if I don't want it accessing their personal information, or posting for them, or any of that jank? What if I just want it to be a game to simply be played embedded in a FB app URL, with no actual FB integration or interaction? Can that not be put on the App Center?
It thinks I need 3 permissions, one of which is logging in to people's accounts, I think these 3 permissions are put there in settings by default, how do I removed those permissions from my app settings, as those permissions listed aren't being used in my game, as it isn't using any FB permissions?
A smaller question on the side, what is the "tagline"? Like, it is the keywords / searchable tags, right? I'm used to them being called just "tags" and not a "tagline" so just to be sure I know what it is.
Thank you so much for any help or suggestions!
Yes you can always submit the html5 game on facebook canvas but for App Centre listing its necessary. Also using dropbox, github hosted sited will have less server resources allocted to them and hence high load time - i recommend to use any other hosting services out their, but remember https is a must.
Tagline is like a punch line for any product just go on the same theme.

Why Facebook Canvas over Facebook Page Tab?

I have read up on the differences from 'setting' up the Canvas Page vs the Page Tab. I also see the Canvas page allows for interaction with notifications, bookmarks, newsfeed, timeline etc. However, doesn't a Page Tab also allow that?
I am trying to figure out in what instances would you use a Canvas over a Page Tab.
Thanks.
The main difference between apps embedded into pages and canvas apps that is the canvas apps have their own, unique URL under the https://apps.facebook.com/... domain.
The fact your app is embedded on a page or not is not necessarily in your hand because the app creator and page admins could be different people. The added integration points facebook gives you all tied to this URL. (I guess they could use your backend url directly but they wont be able to show ads there.)
You might want to choose canvas app if you need one or more of these features:
You want to use facebook platform features tied to canvas.
requests
bookmarks
apps / games dashboard
show up in search results
Want to support wide screens
Canvas pages can be configured to expand "wall-to-wall" and take advantage of users with big screens.
Want to use deep links (easily) into your app.
Deep links can be implemented on page tabs with the data GET parameter (coming down into your app via signed_request on tabs), but canvas pages get this for "free".
There's a best practice guide in docs on how to create good canvas apps.

Facebook canvas iframe and security

I want to open my small platform to developers, so they can build applications that could be inserted in our site as iframe. Similar as facebook is doing, but no, I am not trying to build another Facebook:). From what I understand developers can build facebook application using iframe.
Question: I am wondering how is about security from facebook user perspective. How Facebook prevent that application developer doesn't put malware javascript code inside iframe. I haven't noticed any automatically mechanism that prevent including something like that in iframe.
tnx
No, this is not a problem at all, I think you are worrying for nothing.
There are no security issues that you need to worry about yourself, the loaded page in the iframe is sandboxed, and is "guarded" by the browser.
The two iframes can't even communicate with one another since they are not sharing the same domain, and modern browsers will block any attempt to execute javascript code in another frame if the two frames have different domain.
The thing that facebook did was to workaround that problem, each iframe app in facebook loads the facebook javascript sdk which then enables the nested iframe to make requests to facebook and be notified (by callbacks) when the data returns.
As for "malware javascript code inside iframe to attack user computer via browser", the iframe has the same exact security policies enforced by the browser as any other browser page, if someone manages to somehow bypass those policies then it has little difference where it's loaded, and facebook are not enforcing any other security measures.
The only thing you need to worry about is that scripts inside the iframe will be able to access your scripts and/or dom, which should not happen unless you create a machnism which will let them (somehow bypass the cross-domain policy).

twitter and facebook app in a modal div inside an iframe

I need to link the user's twitter and facebook profiles in a website profile while the website is loaded inside other websites' through iframe.
Is it possible to do that using a modal div inside that iframe? I'm quite in trouble thinking about the return url and page reload.
Have some example?
btw i'm using php but think it's not important now
Thanks,
A.
You can do what ever you want in your page even when it resides in an iframe. What you can do in it (visually) is only limited by the dimensions of the iframe (unless the hosting page has some kind of layer on top of your iframe).
I can't speak of the twitter way of doing things (you can always check their documentation) but with facebook it's pretty easy to integrate into the graph using the api.
You need to have a facebook app, and then in your page (even if it's in an iframe) you can use the javascript sdk to authenticate the user and then use the graph as you need (and have permissions to).

If I create an application on Facebook does it also need a front end on my home website?

If I create an application on Facebook that populates the canvas / iframe on Facebook, do I have to have anything on the home domain that also works? For example, if I have myapp.com do I need an interface on that page that operates independent of facebook for any reason or can I just use my home domain to serve the php files for the iframe in facebook? Also, is there any reason I can't have a separate set of webpages not in facebook that introduce the app, about, contact us, etc.?
Thanks.
Your app will run from your webserver but doesn't have any requirements for showing anything directly from your website. In other words you could create a directory on your webserver and isolate your app.
I'm not aware of any limitations discussing your app in your website but a quick glance over the FB terms of service might highlight anything specific you're trying to do.