https pages in facebook app/iframe - facebook

Got this really weird problem when loading https pages into my facebook app (when the app is running as http://apps.facebook.com/xxxxx).
If i do declare wether its http or https using.
FB._https = (window.location.protocol === 'https:');
On my https pages the facebook javascript api fails silently or atleast the setSize function. When loading http pages into the iframe it works fine.
If i do not declare if its https or not i get a security warning in IE, in all other browsers it works fines.
If i set my settings to run the app as https and all my pages are in https then it works fine.
But the thing is that if a user runs facebook on http, then i must be able to display some pages as https in the iframe, anyone had any similar problem?

Similar problem here - I put together a proof-of-concept for testing. This has been filed as a bug and is apparently being looked at. It might help if you go and +1 the bug report.

If someone is using facebook on http and they visit your app which is set up for https, they will just see the https page. Or you can set up a http canvas page as well as your https one. You don't need to put in any of those workarounds..

Related

Facebook Canvas app: Force SSL

after searching the web for a while, I am still not able to find the correct solution to my problem; How to make sure the browser is redirected to the https app url. Since the canvas app is an iframe, we don't have access to change the window.top.location to the https equivalent.
If the visitor comes to
http://apps.facebook.com/app_name/
I want him redirected to
https://apps.facebook.com/app_name/
Totally unable to fix it with javascript in the app loaded in the canvas since top.location is impossible to tamper with due to cross-domain origin rules. It could have been fixed easily with a redirect rule implemented by Facebook, and I am surprised it's not a checkbox in the Facebook app setup to enforce SSL. We do not want our game to be accessible over http.
I have tested to set both Canvas URL and Secure Canvas URL to point to the https url, but that gives this error (cross-domain trouble): Unsafe JavaScript attempt to access frame with URL http://apps.facebook.com/app_name/ from frame with URL https://s-static.ak.facebook.com/
Please advice.
Ok, so it is possible to redirect the top window. I must have had a typo when I tested it the first time. This tiny script does the trick:
<script>
if ( window.location.protocol == 'http:' ) {
window.top.location = 'https://apps.facebook.com/app_name/';
}
</script>
However, I still don't understand why this isn't an option in the app setup on Facebook. It would have been a lot more efficient and user friendly with a server side redirect rule.

Facebook tab not showing when using HTTPS even though SSL certificate is installed

For some reason my application has decided to stop loading page tabs when using HTTPS. I do use SSL certificate on my server, the Facebook canvas page even loads using HTTPS;
https://apps.facebook.com/myflashstore
But the Page tab only loads using HTTP even though for a long time it was working with HTTPS just fine.
http://www.facebook.com/trubeats/app_79482449955
https://www.facebook.com/trubeats/app_79482449955
In the app settings, the Secure Page Tab URL is the same as the Page Tab URL so there shouldn't be an issue. Anyone have any ideas? Help is much appreciated
I found the solution. The Secure Page Tab URL was a relative URL, relative to my Canvas URL - while it worked fine ever since I made the app, and worked fine for HTTP requests, for some reason the Secure Page Tab URL now wanted a full URL. Thanks Facebook for continually changing things...makes life much easier for us!

facebook tab default http over https

I know this kind of question are asked all the time,
I've mannaged to deal with all the https problems and all that..
but my problem now is when a user click on the app tab in my page, and their secure browsing option is disabled, they automatically redirected to the http url insted of the https. (my app can only work throu https).
I tried not putting anything in Page Tab URL: in the app settings as well as putting the https url there, but they both wont work...
how can I make my tab to default redirect to https url??
p.s.
I've also tried redirecting by code like this:
if($_SERVER['HTTPS']!=”on”)
{
$redirect= “https://”.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];
header(“Location:$redirect”);
}
and also like that:
if (!$_SERVER['HTTPS']) {
header("HTTP/1.1 301 Moved Permanently");
header('Location: https://[myappurl]');
exit;
}
but it did not work
update: problem solved
I needed to fill up the app on facebook section on my application setting in facebook developer. I'm not sure why, but it worked.
my app can only work throu https
You mean, will only “work” (in a sense of “only than can I guarantee the safety of user’s data”), or is only accessible via HTTPS?
how can I make my tab to default redirect to https url??
The user chose to browser facebook.com over HTTP, so Facebook will load the HTTP version of your app into the iframe. So unless you have at least one page of your app that is accessible via HTTP only – you can’t. If you do have such a page, redirect to the HTTPS version using JavaScript, top.location.href = "https://www.facebook.com/…"

Silent failure loading page application in iframe over https

Problem
I have an application driving a tab on a client's page. The application works correctly if the user has not enabled FB's "secure browsing" feature. If attempting to view over HTTPS, the iframe doesn't even appear (no errors, no mixed-content warnings). When correctly loading over HTTP, the div with the id "pagelet_app_runner" has an iframe inserted into it and the application content is loaded inside there. Over HTTPS, this div remains empty and the iframe is not inserted into the page. There are no Javascript errors appearing in Firebug or Chrome's equivalent console.
Why I'm Asking Here
The host has a valid SSL certificate and there is no 'mixed content' at the URL in question. I can successfully view the content over HTTP or HTTPS by visiting the URL directly, and I can do the same by visiting apps.facebook.com/canvasURL/tabURL. It is only when attempting to view within a Page Tab that the HTTPS load fails as described above. My application is configured with both regular and secure canvas and tab URLs.
Attempted Debugging
I've recorded some sessions with Charles but since the iframe isn't being inserted into the page, I think I'm coming at the problem after it's already occured. I'm no Charles expert so happy to be corrected here.
Apache isn't seeing any request (in either regular or ssl logs) for the affected loads. non-SSL loads come through as expected in access_log.
Plea for Help
I'm out of ideas for debugging this. Does anybody have any suggestions? What really obvious and stupid mistake might I have made? :)
edit: nicer formatting
Your app canvas URL is https://skinnycomp.nextstudio.com.au/skinnycowcomps/ , which send 404 error to Facebook proxy (request is going through proxy when viewing app via tab), also when viewing your app via apps (https://apps.facebook.com/122381834451561/), again 404... maybe Facebook proxy is ignoring 404 and posting blank...
Try changing canvas URL to https://skinnycomp.nextstudio.com.au/skinnycowcomps/tab, also you can check if your app is accessed via page tab, in signed_request there should be page_id...
23:51:15.379[549ms][total 1667ms] Status: 404[Not Found]
GET https://skinnycomp.nextstudio.com.au/skinnycowcomps/
This is a real longshot since I'm sure you've triple checked all the settings, but the blank page can happen if an invalid url is specified in the Page Tab URL field in the app settings. Since it only happens on https, it would imply something specifically with the Secure Page Tab URL entry. It might be worth checking that again, and maybe even re-saving it or changing it to something else to see if it helps.
I was using relative URLs for the regular and secure tab URL fields. From memory relative URLs here were mandatory at some point in the past. It appears now that a relative URL will still work for HTTP but not for HTTPs. Fix: absolute URLs. Hopefully FB update their field validation to match what's required too.

security warning in IE9 "Show all content"

I'm implementing the facebook Comments plugin on my site. Users get the warning "Show all content" in IE9
This other publisher using the same plugin and it does not bring up the warning.
Can some please help me with this?
Asking users to turn of the mixed content warning in their IE9 is not an option.
We were just looking at this today and our workaround for now was to include the Facebook Library over https (even when the page itself is viewed over http). Although not ideal it gets rid of the mixed content warnings in IE9 until they have fixed their bug.
That seems to be how it was accomplished at www.vg.no linked in the original question, the library is linked via https.
From their code:
<script src="https://connect.facebook.net/nb_NO/all.js"></script>
I have the same problem:
I have a page that's 100% http. But, the facebook javascript (which I call over http), is returning assets (.js, images) over https, which is generating security warnings for IE(9) users.
I have figured out it's the comment widget from Facebook (
Here's an example of a live page on http: with the error:
http://app.gophoto.com/p?id=10173&rkey=CD01891B287792415384&s=1&a=6940
Here's one of the assets that Facebook returns over HTTPS
https://s-static.ak.facebook.com/rsrc.php/v1/y8/r/7Htnnss1mJY.js
(I'm unable to comment (for some reason?) on Joel's answer. But, his suggestion to fetch the initial all.js over https on http sites does not actually work. I've tried it, and it also inherently looks incorrect since even the initial js fetch violates the mixing up of http & https content.)