Facebook canvas iframe and security - facebook

I want to open my small platform to developers, so they can build applications that could be inserted in our site as iframe. Similar as facebook is doing, but no, I am not trying to build another Facebook:). From what I understand developers can build facebook application using iframe.
Question: I am wondering how is about security from facebook user perspective. How Facebook prevent that application developer doesn't put malware javascript code inside iframe. I haven't noticed any automatically mechanism that prevent including something like that in iframe.
tnx

No, this is not a problem at all, I think you are worrying for nothing.
There are no security issues that you need to worry about yourself, the loaded page in the iframe is sandboxed, and is "guarded" by the browser.
The two iframes can't even communicate with one another since they are not sharing the same domain, and modern browsers will block any attempt to execute javascript code in another frame if the two frames have different domain.
The thing that facebook did was to workaround that problem, each iframe app in facebook loads the facebook javascript sdk which then enables the nested iframe to make requests to facebook and be notified (by callbacks) when the data returns.
As for "malware javascript code inside iframe to attack user computer via browser", the iframe has the same exact security policies enforced by the browser as any other browser page, if someone manages to somehow bypass those policies then it has little difference where it's loaded, and facebook are not enforcing any other security measures.
The only thing you need to worry about is that scripts inside the iframe will be able to access your scripts and/or dom, which should not happen unless you create a machnism which will let them (somehow bypass the cross-domain policy).

Related

Facebook Policy on Running Canvas App Outside iFrame?

I am currently working on a Facebook app. At the moment it is running in the canvas iFrame. However, ideally I would like it to also be accessible outside of the iFrame as well - much like Branchout is accessible within Facebook and also independent when loaded directly on their website.
According to the Facebook Platform Policies:
The primary purpose of your Canvas or Page Tab app on Facebook must not be to simply redirect users out of the Facebook experience and onto an external site.
Is anyone aware of any additional policies around this?

Blank Canvas Page for iFrame App

I'm working on an iframe style app that pulls the facebook optimized page available at http://store.starrco.com/?store_mode=facebook. I've done other, admittedly much simpler, iframe apps before without issue but though I've configured this one more or less the same when I try to view the canvas url it remains blank.
My settings can be seen here: http://www.abstraktmg.com/clients/starrco/starrcofbsettings.jpg
I've tried a few different permutations of this with the same results, this is the most complete setup though and most closely matches the settings template I was given.
This page is being generated by Webasyst's shop-script, which is specifically supposed to support this. The obvious answer then is to contact their support which I did, but after assuring them that my app settings matched their template, they said I needed to contact Facebook support and this is as close as I could find to any proper support system.
I checked both http and https versions of store.starrco.com/?store_mode=facebook and both worked outside of facebook.
However, there may be some framebusting code which might prevent the site from being loaded in an iframe. And I see that your settings appear to be missing the app domain entry.
I ran into the same problem, especially in Chrome and Firefox. The problem is, when the user is surfing with https on Facebook, the https Version of the iframe is called. But the browser do not show invalid certificate problems until you to right click page information.
You need to have a signed SSL cert by a CA trusted in the browser.
If the user has accepted it without the iframe - outside of Facebook, it works.

Session Lost on IE Facebook App iFrame

I have an issue with my Facebook app when the user uses Internet Explorer.
My app is loaded in iFrame as Canvas Page.
Cookies and Session are lost after post back. It doesn't happen of Firefox at all,
and it doesn't happen on IE if I open my app outside of Facebook, meaning, using the direct URL.
My app is Asp.net C# app but it shouldn't really matter.
I think the issue is larger than a Facebook issue... any website loaded in iFrame using cookies/session is prevented by IE from keeping cookies/session, but is there a way by Facebook to overcome this? I must use sessions in my app, not just to save the reauthentication again and again but for other things too.
Please assist me.
Thanks!
most likely you need to implement P3P headers in your app, see the following for more details:
http://forum.developers.facebook.net/viewtopic.php?id=452

Iframes v FBML - Why transfer?

I have lots of Facebook Fanpages, and I have been told on many occasions to change to iFrames. Facebook developing isn't really my main thing so I havent kept upto date with the change as FBML worked for me.
I have asked a recent question about rotating images and it seems that iFrames will be able to handle this.
Can you tell me what are the good things about iFrames?
Is there an iFrame service without thirdpart branding (i.e WildFire logo at the bottom of page)
Thanks for your help
You should be switching as soon as possible from fbml fan pages to iframe fan page because the FBML pages have been deprecated (you can't create new fbml pages) and it is likely Facebook will start killing FBML page support for existing pages, with little to no notice.
The biggest benefits are almost all javascript code will run now and without making a user first click somewhere. Laying out pages is a lot cleaner. And you don't have to learn the fbml tags. You just make a web page like you normally would and it should run just fine, as long as you understand that iframe code is sandboxed due to cross domain limitations so you can't try to modify its parent (the Facebook page)
I don't know of any iFrame services, but iFrame pages are so simple - you just host a plain html file or webpage somewhere on a server anywhere and tell Facebook the url for it. Do note though that the site it is hosted on should have an SSL certificate for users that visit your page with HTTPS enabled on their Facebook account.

Getting Past Facebooks Iframe Block

Well on Facebook they seem to have a block which prevents you from loading an iframe of their website.
When you do, they lock complete functionality of their website example.
I'm just wondering if anyone knows how you could bypass this?
If they did not prevent this, an attacker could load Facebook pages into an transparent iframe and put something interesting below it. Lets asume a victim has logged in to facebook and then visits the website of the attacker (after some time, in another tab).
The victim will click on something on the attacker's website. But in fact it is clicking onto the transparent iframe and triggering some action on the facebook website. The browser will of course sent the session cookie to Facebook and Facebook sees a legitimate action by an logged in user.
Wikipedia has an article on Clickjacking: http://en.wikipedia.org/wiki/Clickjacking
This attack can be prevented using the unofficial X-Frame-Option http header as described on
http://www.webmasterworld.com/webmaster/4022867.htm Unfortunately not all browsers support it, so a frame breaking java script is required, too.
If you can do that, facebook faces a serious security threat.
I say forget it, even if a method is found, facebook would soon block it, and the method will fail then.
Unless, you are doing something naughty and you only need something that works now.