I coded a stub application for Facebook.
When I'm trying access the app url (http://apps.facebook.com/myappname) it all works fine. It works from other servers as well.
However, a specific co-worker of mine is also trying to access it and he gets redirected to facebook.com
A day ago he was able to log-in, and we are not aware of any changes.
Thoughts, anyone?
This is common for when you don't have the required SSL server's url in the app settings. That other user that was redirected has allow only https set in his user preferences. Since you have no https version set, then he gets redirected away. If you do have the SSL server's url in your app settings, then the SSL cert may be bad. Many people try to get away with using a "fake" cheap SSL cert. The cert must be a real (read: expensive) one.
Related
Instagram API requires redirect uris to have an SSL certificate (HTTPS connection).
I use Instagram API for my mobile app, and OAuth response should first invoke procedure in the app.
I am able to create a server to catch this call locally (on 127.0.0.1), but for the certificate, I can only create a self-signed one. The problem is that the browsers don't trust it and initially warn the user about the potential hazards, which is unacceptable for the user experience.
I saw a few similar questions on Stackoverflow, but unfortunately, I couldn't understand if they solve my issue.
How to avoid this warning?
Basically, even if they warns about https you can use api's. I had the same issue but I just tried to run the application on https port instead of http on localhost and it worked. So, Answer is you just need to run your application on https.
I have a solution for my specific case; I use Flutter for the mobile application. But overall you can find something similar for other cases as well.
Initially, I was launching the Instagram authorization window with url_launcher package. Basically, for iOS it launches the url in-app, but in a Safari Web View. In this way I am unable to control the flow in this web view. So, what I wanted to do is to catch a request to 127.0.0.1 when authorization is completed by running a local server in the app. It does work but throws a warning about security hazard due to a self-signed certificate, since Instagram requires https being used and 127.0.0.1 cannot have a trusted certificate.
Instead, now I launch the Instagram authorization window in-app with custom WebView using webview_flutter. It provides more flexibility, but most importantly I can track navigation. So now, Instagram redirects my user to the non-existing page on my website, which has a trusted certificate (but it doesn't really matter), but the aforementioned WebView can detect this redirect, parse the URL to retrieve the wanted code and prevent actual redirection by closing this web view. So, eventually, I get the wanted code in the app, so I can send it to my backend with extra user id reference.
So, basically, the workflow looks like this:
User clicks a button in the app to connect Instagram account;
The app launches a custom web view and opens Instagram authorization page;
After authorization, Instagram redirects the user to a dummy URL with the wanted code as a query parameter;
The custom web view detects this redirection;
Retrieves the code from the URL;
Closes web view (returns to the main app screen).
The site that I am embedding for my app on Facebook is SSL enabled and hitting the https page on a normal browser brings up the site as expected. For now, my SSL certs are self-signed.
However, when I try to run the app on Facebook, it fails to load the page. There are no errors except the image below. Mouseover on the icon shows a "NULL":
So my question is, does this have to do with the fact that my SSL certs are self-signed? Or is there some other reason for this?
Also, I am not able to check if the non-secure page (http) works on the app as Facebook does not allow me to switch off my secure browsing mode.
After obtaining commercial SSL certs, it now works. So I guess any SSL certs that result in a browser prompt asking the user to continue would not work in an embedded canvas on Facebook.
Two weeks ago i bought a SSL Certificate for my domain. I have an app in Facebook and for Safari works fine but in Chrome the following message appears:
"Error 501 (net::ERR_INSECURE_RESPONSE): Error desconocido."
I have set the "Secure Canvas URL" in the configuration of the app in Facebook.
What's the problem?
I have just checked it out in Internet Explorer and Firefox and works fine.
In both browsers enter the game directly.
With respect the Certificate and app settings, the certificate is valid for www and the domain, and in app setting i just typed the domain name.
Well, the function from Facebook that arise the problem is:
FB.Canvas.setAutoResize();
I hope this could be helpful.
It is a known problem that Chrome handles this less elegant: http://code.google.com/p/chromium/issues/detail?id=87957
But that does not take away the fact that it should work with a valid certificate. Can you checn with a few other browsers, like IE and Firefox? Please get back when those give any indication of the underlying problem.
This problem happens to me for my app, but only on Chrome on Ubuntu (Chrome on Windows 7 is fine, and Firefox [version 13 at the moment] on Ubuntu is fine), and it only happens when secure browsing is forced on in Facebook (Account settings > Security > Secure browsing). By unchecking Browse Facebook on a secure connection (https) when possible, I no longer receive this problem.
Please downvote this answer (a lot, hahaha), because telling users to use a different operating system or to turn off secure browsing is not going to be received well! I'll report back if I come up with a real solution.
What's the problem?
Your SSL cert is invalid or not configured properly. This can happen for example when you use your domain with www in app settings, while the cert is ussued on a domain without www, etc. It can be something else misconfigured also.
I know it´s an old Thread but I just got a similar problem when facing some Free Hosts that uses shared SSL cert instead of Custom Domain Certs. On setting up your Canvas App, on "Secure Canvas URL", use the URL provided by the HOST instead of your custom URL.
Ex: If your host is openshift, they give an URL similar to -> php-blablabla.rhcloud.com. Use this one instead of blablabla.com (which would be the domain you paid for).
Hope this helps someone.
Cheers.
Since FBML apps canvas url(s) are not directly accessible by the end user, I suppose not , but can anyone confirm this ?
Confirm: "An SSL Certificate is required for all Canvas and Page Tab apps (not in Sandbox mode and not FBML)." See here: http://developers.facebook.com/docs/oauth2-https-migration/
Though I am currently getting mixed content warnings in IE and Firefox when using Facebook in https mode and then loading content over http in the app. So users of your app might get kinda bad feeling if you do not serve your content over https.
UPDATE:
Facebook:
"We have heard that there is some confusion about whether FBML apps
must support HTTPS. FBML developers still need to know whether users
are browsing Facebook over a secure connection since they need to
detect whether to serve iframe or video content over HTTPS. As a
result, FBML apps must obtain SSL certificates in order to serve this
type of content to users browsing over a secure connection. If you
have an FBML app, please obtain an SSL certificate for your app to
receive traffic from users browsing Facebook over a secure connection.
If you enable SSL for your FBML app, please make sure that your SSL
certificate includes all intermediate certificates in the chain of
trust as our SSL validation is strict. You can use third-party SSL
analysis tools (e.g., https://www.ssllabs.com/index.html) to check
your certificate status and fix any errors (and warnings). If your SSL
certificate has problems, you may see "Empty response received" error
when you load your FBML canvas app."
https://developers.facebook.com/blog/post/567/
i am making a facebook tab which using iframe to show the tab content from other url. Everything work fine but when users use secure http connection (https) the tab no longer loads and shows error saying page not secure.
The pages that the iframe showing is not using ssl. Do i need to have a ssl to show the page in secure connection or i have to change some setting in facebook?
You will need to buy an SSL certificate, make sure it is properly installed on your server, and make sure your the page is properly working over SSL (no warnings). Once this is setup, plug the SSL url of your page onto your fan page tab application settings, and it will work. You will want to do this as Facebook is continually encouraging users to enable the always-on SSL option on their account, and at some point SSL may be the only option on Facebook and they probably won't give you much of a warning to enable it.
for now it's an option to have ssl certificate but starting from October the first, it will be required
i have set up my application, it works well for almost all browsers except google chrome, it seems to have a warning about my secure url of the ifram and doesnt load it, the only way i could work around it is visiting the actual url of the iframe, confirmed the ssl warning, then went back to the application on fb, so it finally worked
lousy solution i know, but there was nothing else i could do