Recently I noticed that my applications on Facebook stopped to work properly.
When someone opens app who did not authorize in yet I display simple content with link,
When link is clicked, in application I issue redirect (in Spring I return "redirect:...url..") to URL:
https://www.facebook.com/dialog/oauth?scope=email&client_id=317651918315301&redirect_uri=https%3A%2F%2Fapps.facebook.com%2Facnestop&scope=email&response_type=token
it sends 302 with given location to iFrame.
Then blank iFrame is displayed, and following headers from FB are returned:
Cache-Control private, no-cache, no-store, must-revalidate
Connection keep-alive
Content-Encoding gzip
Content-Type text/html; charset=utf-8
Date Fri, 25 May 2012 10:37:11 GMT
Expires Sat, 01 Jan 2000 00:00:00 GMT
P3P CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
Pragma no-cache
Set-Cookie _e_1vFX_0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly locale=pl_PL; expires=Fri, 01-Jun-2012 10:37:11 GMT; path=/; domain=.facebook.com wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly
Transfer-Encoding chunked
X-Content-Type-Options nosniff
X-FB-Debug VYI+cCm/Vfpx3US82n06uFuw5gF6UQDg+8GUSpGUL9A=
X-Frame-Options DENY
X-XSS-Protection 0
x-content-security-policy... allow *;script-src https://*.facebook.com http://*.facebook.com https://*.fbcdn.net http://*.fbcdn.net *.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:*;options inline-script eval-script;report-uri https://www.facebook.com/csp.php
And just blank iFrame is displayed.
When URL which I redirect to is pasted to browser directly - it displays Facebook prompt to authorise app.
Any ideas why behavior is different when iFrame is redirected from pasting and opening same link in browser?
I noticed this today, previously app was working fine.
This is my sample app:
https://apps.facebook.com/acnestop/
If the user has not authorized your application, you need not handle that, facebook takes care of that.
But handling the case where a user has not logged in you can use getLoginURL
$loginUrl = $facebook->getLoginUrl(
array(
'scope' => 'email,user_checkins,etc',
'redirect_uri' => 'https://apps.facebook.com/my-application/'
)
);
Do not forget the trailing slash in redirect_uri
Hope this helps
Taken from Facebook:
Because your game is loaded in an iframe, returning a 302 to redirect the user to the Login >Dialog will be unsuccessful. Instead you must target the top (or _top) frame for redirect, >which causes the parent window to redirect to the Login Dialog URL.
Thus, you must redirect the user manually to something like
https://www.facebook.com/dialog/oauth?client_id=YOURID&redirect_uri=YOUR-REDIRECT-URI
It's because Facebook 0auth don't support iframe anymore.
U can see that in response header x-iframe-options:deny
Related
I am trying to build Facebook Canvas application using Java/Spring Social Facebook library.
When an user first time access the Canvas page(apps.facebook.com/mycanvasapp), facebook is doing HTTP POST with 'signed_request' in the body to my app url.
As the user is first time accessing the app, facebook sends empty 'oauth_token' in the POST body; hence my app returns HTTP 200 code with below Java Script code to present authorization dialog box to the user.
top.location.href='https://www.facebook.com/v2.5/dialog/oauth?client_id=12345&redirect_uri=https://myapp.com/canvas/';
This is to do top level redirect at client/browser side as HTTP server redirect is not allowed in iframe.
However, I do get below error in browser/Chrome logs and fails to present the authorization window to the user.
Refused to display 'https://myapp.com/canvas/' in a frame because it
set 'X-Frame-Options' to 'DENY'.
Similar question asked in other post -
Web App in Facebook Canvas / X-Frame-Options Deny Case
where it suggested to do browser side top level redirect instead of HTTP server redirect.
I am doing top level browser redirect only using 'top.location.href' in Java Script, but still experiencing same problem.
When i replay the request in the curl/command line, here is the response that my app is returning that seems to be okay to me.
HTTP/1.1 200 OK
Connection: keep-alive
Server: Apache-Coyote/1.1
X-Content-Type-Options: nosniff
X-Xss-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-Frame-Options: DENY
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: POST, GET, PUT, OPTIONS, DELETE
Access-Control-Max-Age: 3600
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept, X-Auth-Token
Content-Language: en-US
Transfer-Encoding: chunked
Date: Sat, 09 Jul 2016 04:40:17 GMT
Via: 1.1 vegur
<script>top.location.href='https://www.facebook.com/v2.5/dialog/oauth?client_id=12345&redirect_uri=https://myapp.com/canvas/';</script>
Tweaking 'X-Frame-Options' header field seems not helping much.
What am I missing ? Can some one please suggest a workable solution ?
There are some suggestions on using Facebook Java Script SDK library. But as my app contains within Facebook Canvas page, upon accessing the Canvas page Facebook does HTTP Post to my server, so wondering how to load HTML/Java Script to load Facebook Java Script SDK library before this process kicks in.
PS: I am using org.springframework.social.facebook.web.CanvasSignInController Spring pre-built controller in my app.
I resolved this problem by disabling/suppressing be security headers for the POST response from my server,
X-Content-Type-Options: nosniff X-Xss-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-Frame-Options: DENY Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: POST, GET, PUT, OPTIONS, DELETE
Access-Control-Max-Age: 3600 Access-Control-Allow-Headers: Origin,
X-Requested-With, Content-Type, Accept, X-
The key is to exclude X-Frame-Options & Strict-Transport-Security in the headers, that resolved the problem for me now.
I have a Perl script which Logs in the user. After the user logs out, I am able to go back to the login page by pressing the back button. How can I prevent the user from doing so. The user should be prompted to login again after logging out. Also, after logging in when I press the back button the page redirects me to the login where logging in again should be mandatory.
In short the user should not be able to access the protected pages unless he authorizes.
A JavaScript solution from http://jakub.fedyczak.net/post/force-page-refresh-on-back-button/:
Put <body onunload=""> in your HTML output
Headers to set, as suggested by Quora's Adam D'Angelo:
Cache-Control: private, no-store, max-age=0, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
In general,you should have some logic on the page that checks if the session is active/present and perform either a redirect (302, 307, etc...) that will send it to a login/authentication page, or a forbidden/authentication error (403, 401, etc...). That in addition to what #mob mentioned already, which will cause the browser to expire its local cache for that page.
I'm trying to share to Facebook this url:
http://curation.masternewmedia.org/
or an other url of this domain:
http://curation.masternewmedia.org/p/1689258249/how-to-check-and-verify-news-info-in-real-time-from-social-media.
Facebook linter generates a 200 status code and Could not retrieve data from URL:
http://developers.facebook.com/tools/debug/og/object?q=http%3A%2F%2Fcuration.masternewmedia.org%2F
When I curl the same url everything seems to be ok
$>> curl -I http://curation.masternewmedia.org/
HTTP/1.1 200 OK
Date: Wed, 02 May 2012 08:53:29 GMT
Server: Jetty(7.5.4.v20111024)
Content-Type: text/html;charset=UTF-8
Content-Language: en
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: userId=e26ee613-8792-4f03-9066-52b6aa09a901;Path=/;Expires=Sat, 30-Apr-2022 08:53:31 GMT
Via: 1.1 www.scoop.it
Vary: Accept-Encoding
Can you please help me to understand how I can fix this issue?
Many thanks in advance
The issue seems to be that the Facebook scraper is seeing nothing at all in the source code of your site. This link will give you a view of what the scraper sees when it visits your site
I'm no expert, but I have a feeling there's something wrong with the object you've specified in the "type" section, i.e. topic
<meta property="og:type" content="topic"/>
Removing this made it work for me. If you have defined a custom action type and are using that, but have not yet had it approved, it might be caused by that. Anyway, it seems to be boiling down to that part.
You can see it working with the url soccerrumors.mobi/test/test.html
This is what the linter shows now:
Errors That Must Be Fixed
Object Type Not Allowed At URL: Object at URL 'http://curation.masternewmedia.org/' of type 'scoop_it:topic' is invalid because the domain 'curation.masternewmedia.org' is not allowed for the application id '165307520164712' which owns the specified object type. If you are the owner of this application, you can verify your configured 'Site Domain' at https://developers.facebook.com/apps/165307520164712.
The other url http://curation.masternewmedia.org/p/1686490068/four-great-curators-to-draw-inspiration-from shows that the og:type is scoop_it:article , and that works fine, so i guess you should be changing to scoop_it:article.
If you are using scoop.it's service then let them know of this problem.
I'm trying to access/login to Facebook with a program (OverbyteIcsHttpTst.exe) compiled with Delphi using the component ThttpCli (ICS-SSL, which is the latest version that supports https).
The idea is that I want to to access Facebook just like an ordinary browser does.
For example, I tried to login by using "post" to send some data to Facebook with the following code:
https://login.facebook.com/login.php?login_attempt=1
POSTDATA=charset_test=%E2%82%AC%2C%C2%B4%2C%E2%82%AC%2C%C2%B4%2C%E6%B0%B4%2C%D0%94%2C%D0%84&locale=en_US&email=yourmail%40yahoo.com&pass=yourpassword&charset_test=%E2%82%AC%2C%C2%B4%2C%E2%82%AC%2C%C2%B4%2C%E6%B0%B4%2C%D0%94%2C%D0%84&lsd=XAN99
CooKies : datr=1281135108-ea5c44949be49439183341b84db24aeb6c589ca1d31dc0c0da28d; expires=Sun, 05-Aug-2012 22:51:48 GMT; path=/; domain=.facebook.com;lsd=0ygNR; path=/; domain=.facebook.com;reg_fb_gate=http%3A%2F%2Fwww.facebook.com%2F; path=/; domain=.facebook.com;reg_fb_ref=http%3A%2F%2Fwww.facebook.com%2F; path=/; domain=.facebook.com
But I'm still stuck on the main page. Is anything missing?
Thanks.
see if this helps you at all
https://forums.embarcadero.com/thread.jspa?threadID=33184
I have an APP that calls Facebook status.get method via the REST server - restserver.php using session key method. This app works fine for most of the users, but for one user I consistently receive HTTP 500 status code. Since this doesn't have any specific Facebook error message, it is almost impossible for me to debug this.
Anyone faced a similar problem? What could be wrong with this user account? I checked the privacy options that I could think of and they look fine.
Also, for the same user, I can use friends.get method without any problem.
EDIT: I tried in Facebook forums as well, but it was of no use. Any pointers in the direction towards debugging/troubleshooting this problem are also appreciated.
EDIT: The full HTTP trace of my request is as follows. Just to be clear the same code works for other users.
REQUEST
=======================
GET /restserver.php?method=facebook.status.get&limit=1&api_key=a134957738cbd097e76bcefee86c75db&v=1.0&call_id=8cc99cec1562a71&format=JSON&session_key=747ad19e9859993f97c20355-1038949180&sig=5f597e80ad081b30c7155e9176a2aa04 HTTP/1.1
User-Agent: Pandemonium
Content-Type: application/x-www-form-urlencoded
Host: api.facebook.com
RESPONSE
=======================
HTTP/1.1 500 Internal Server Error
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-type: application/json
Expires: Sat, 01 Jan 2000 00:00:00 GMT
P3P: CP="DSP LAW"
Pragma: no-cache
Set-Cookie: datr=1269479340-0545d70990e5f2db3b59176d82435f687f48a4bc69b5f11be9364; expires=Sat, 24-Mar-2012 01:09:00 GMT; path=/; domain=.facebook.com
X-Cnection: close
Date: Thu, 25 Mar 2010 01:09:32 GMT
Content-Length: 0
I had the same problem and just added the description field to my API call. When I deleted the description from my fields the server error was fixed. No idea why it can't handle the description field.
$events = $this->facebook->api('/me/events?fields=name,venue,privacy,location');
The user had already approved the status.get permissions?