I love it when something is working in other browsers and then ya fire up IE and it all goes poof.
I'm getting the following error:
SEC7111: HTTPS security is compromised by http://www.example.com/myappname/?rctp=[an FB user id]
Here's the workflow:
User goes to canvas app on Facebook. Makes choices on form, form submission goes to app's URL on my domain where quick database work is done and redirects back to the app with user id added as a GET variable, which is used to trigger a user-generated request in Request 2.0 fashion.
Works fine in Firefox. In IE9, I get the "only secure content" error message. IE9 F12 debugger console shows the above "SEC7111: HTTPS security is compromised by http..." message.
Not sure why it's showing "http://www.example.com/myappname" as the url it's redirecting from is "https://www.example.com/myappname"
Again... works fine in Firefox. As per some of the other Q's I've seen here, I tried adding FB._https = (window.location.protocol == "https:"); and FB._https = true to the JavaScript but to no avail.
UPDATE: Ok, removing the GET variable clears up the problem. But I NEED to pass that variable. Is there another way to do it?
Related
I am having issues using the Facebook send dialog. If I open this window in a new browser, everything works:
https://www.facebook.com/dialog/send
?app_id=[My_App_Id]
&redirect_uri=https%3A%2F%2Fwww.example.com%2Fcallback
&link=https%3A%2F%2Fexample.com%2Fimage.jpg
So by doing that, I am able to send a message just fine. However, I need this to be in an iframe, which according to the send dialog documentation, this should work. So I then do this:
https://www.facebook.com/dialog/send
?app_id=[My_App_Id]
&display=iframe
&redirect_uri=https%3A%2F%2Fwww.example.com%2Fcallback
&link=https%3A%2F%2Fexample.com%2Fimage.jpg
Doing so, I get the following error:
API Error Code: 102
API Error Description: Session key invalid or no longer valid
Error Message: Iframe dialogs must be called with a session key
I find it a little strange that I can do this with a popup, but they require a session key for iframe. But even so, that isn't a problem. Because I have already gotten an access_token. So, this should work then:
https://www.facebook.com/dialog/send
?app_id=[My_App_Id]
&display=iframe
&redirect_uri=https%3A%2F%2Fwww.example.com%2Fcallback
&link=https%3A%2F%2Fexample.com%2Fimage.jpg
&access_token=[MY_OAUTH_ACCESS_TOKEN]
The access token was obtained from calling /v12.0/dialog/oauth, and I have confirmed that the access_token is valid:
However, I now get this message:
This Content Isn't Available Right Now
When this happens, it's usually because the owner only shared it with a small group of people, changed who can see it or it's been deleted.
So now this really makes no sense. I can send this link just fine if I use a popup with NO access_token present. But to set the display to iframe, I must include the token, which is fine, but it doesn't like the token for some reason?
It is also worth noting that this behaves the same way regardless if the Facebook app is in development mode or live mode. In development mode, all of the permissions should work for my test users. So it seems very unlikely that this is a permissions issue?
Anybody have any insight on this at all?
I am using OWASP to prevent information leakage on my application. But this not working properly as expected.
I logged in to my application and done some random clicks on the tabs in the application. Then I cleared the web browser history and cookies .When I click on any tab after this I will get an pop up screen by saying the session got expired please login again and it redirects me to the login screen when I click on the “ok” button (Till this it worked fine ) . But when I login again and clicking on the tab that used in the last session after deleting the cookies, I get the error “cross-site request forgery (CSRF) attack ...” (this is something weird). If am Clicking on any other tabs I am not getting any error and it works fine
this is a snippet of my OWASP.properties file :-
#org.owasp.csrfguard.action.Empty=org.owasp.csrfguard.action.Empty
org.owasp.csrfguard.action.Log=org.owasp.csrfguard.action.Log
org.owasp.csrfguard.action.Log.Message=potential cross-site request forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%, uri:%request_uri%, error:%exception_message%)
#org.owasp.csrfguard.action.Invalidate=org.owasp.csrfguard.action.Invalidate
org.owasp.csrfguard.action.Redirect=org.owasp.csrfguard.action.Redirect
org.owasp.csrfguard.action.Redirect.Page=/ourUI/csrfError.jsp
#org.owasp.csrfguard.action.Redirect.Page=/OLDUI/error/error.jsp
#org.owasp.csrfguard.action.RequestAttribute=org.owasp.csrfguard.action.RequestAttribute
#org.owasp.csrfguard.action.RequestAttribute.AttributeName=errMsg
org.owasp.csrfguard.action.Rotate=org.owasp.csrfguard.action.Rotate
#org.owasp.csrfguard.action.SessionAttribute=org.owasp.csrfguard.action.SessionAttribute
#org.owasp.csrfguard.action.SessionAttribute.AttributeName=Owasp_CsrfGuard_Exception_Key
I have uncommented the following line and checked
org.owasp.csrfguard.action.Invalidate=org.owasp.csrfguard.action.Invalidate
This time I got the error when I click first time on the tab which I have used in last session (followed the same procedure as above) Second time onwards it worked fine. Can anyone please help to find why this error I am getting? Do I need to make any other changes on this file?
I am trying to connect to Paypal to get a users consent to access their paypal payment history. The end goal would be to download payments received at the end of the day and take the info and dump it into a local database.
https://developer.paypal.com/webapps/developer/docs/api/#obtain-users-consent
<Cfset returnlink="http://www.xxxxxx.com/paypal/paypalreturn.cfm">
<cfset paypalLink="https://www.paypal.com/webapps/auth/protocol/openidconnect/v1/authorize">
<Cfset paypallink="#paypallink#?client_id=#settingsLive.clientid#">
<Cfset paypallink="#paypallink#&redirect_uri=#urlencodedformat(returnlink)#">
<Cfset paypallink="#paypallink#&response_type=code">
<Cfset paypallink="#paypallink#&scope=profile+email+address+phone+https%3A%2F%2Furi.paypal.com%2Fservices%2Fpaypalattributes">
<cfset paypalLink="#paypallink#&nonce=#createUUID()#">
<cfset paypalLink="#paypallink#&state=create">
Login with paypal
Clicking on the link below returns:
Relying Party Validation error: redirect_uri provided in the request
does not match with the registered redirect_uri. Please check the
request.
I have logged into the Rest API, modified my app and made sure the redirect uri's for the test and live return link match that listed above. I have also made sure that the accept logins options are checked.
I have also tried the same code against their sandbox URL:
https://www.sandbox.paypal.com/webapps/auth/protocol/openidconnect/v1/authorize
and instead of receiving the validation error, I get a page cannot be displayed.
I've tried every combination of things that I could think of
1) removing 1 cfset statement at a time to isolate a bad variable
2) making sure the return uri was a https vs http
3) switching to sandbox mode url and back
I've connected to other oauth2 api's in the past, but can't figure this one out.
This has changed a bit, and will presumably change again soon... but here's how you do this now.
Log into developer.paypal.com
Click on Dashboard (https://developer.paypal.com/developer/applications)
Click your app name under "Rest API Apps"
Scroll to the box at the bottom of the screen labeled "Sandbox (or Live) App Settings
Set the Return URL (Where users will be redirected after test transactions)
Click save
NOTE
This Return URL must exactly match the redirect_uri that you pass in via querystring (so it's confusing as to why you'd need to pass it in in the first place)
GOTCHA
At this point in time, the Return URL can seemingly never be updated. In my recent experience, if you don't type it correctly the first time you save it, you will have to create a new app.
The only time I have seen this error is when your redirect_uri does not match the one set in your applications profile.
You need to set this value inside of your app on the developer website.
Log into developer.paypal.com
Click Applications
Under My Rest Apps click your App name
Click Edit next to App redirect URLs
Set the return URLs for live or test
Save
I am also unable to get sandbox to work for my Log In with PayPal tests so it is not just you.
As of now (October 2015), the Dashboard Return URL should correspond to the redirect_uri. You can obtain the redirect_uri parameter in Firefox, by downloading the HTTPFox browser plugin. Then you start HTTPFox, point your browser to the OmniAuth login link, and view the scParams in the query string in the bottom-most link in the HTTPFox history to obtain the redirect_uri.
You have to literally make sure the Return URL is the exact same sequence of characters as the input redirect_uri. For example, if one points to "localhost" and the other to "127.0.0.1", it won't recognize the redirect_uri value as the same. It also won't recognize redirect_uri if only one of the redirect_uri values has a final slash.
Yes, the return URL was able to be updated in my experience.
So, I've been at this for a while now, went through a bunch of different questions, and still no solution.
If I log in regularly, all is fine, I can logout as expected. But, if I login with facebook (authorize the app), then there is no way to logout unless I manually delete the cookies from within my browsers menu.
Following that logic, I wanted to destroy the cookies in the logout action using this code(after I modified my session settings to work across subdomains, for my particular case):
function logout() {
if ($this->Cookie->read('Auth.User')) {
$this->Cookie->delete('Auth.User');
}
$this->Auth->logout();
unset($_SESSION['fb_MYAPP_ID_user_id']);
unset($_COOKIE['fbm_MYAPP_ID']);
unset($_COOKIE['fbsr_MYAPP_ID']);
unset($_COOKIE['CAKEPHP']);
//pr($_SESSION);pr($_COOKIE);exit(); //here I see that the cookies are in fact deleted
$this->redirect($this->Auth->logout());
$this->redirect('/login');
}
But every time after the logout redirect it brings the user back, logged in, and the session/cookies recreated.
I went through a lot of SO questions and answers and none worked for me. Any ideas?
You cannot simply unset cookies from the cookie container, this is just the server side representation of the cookies contained in the request.
To delete cookies you need to set the exact same cookie (domain, path, name) but with an expiration that has passed - when read by the client this will cause the cookie to not be sent with the next request.
You can see how this is done in https://github.com/facebook/facebook-php-sdk/blob/master/src/base_facebook.php#L132.
I ended up using a combination of the following answers:
CakePHP + Facebook
$facebook->getSession() call breaks page below the call
The code on the first one is more complete, but is outdated. I also kept the unset() calls that I have in my question, and it seems to work good for now.
The title really says it all. Under some (undetermined) conditions FB.getLoginStatus() just stops working and won't invoke the callback I gave it. The only interesting clues I've found are
FB.Auth._loadState is stuck on "loading" -- whatever is supposed to make it click over to "loaded" isn't happening
slight delays like putting in alert() calls tend to make it start working
Any hints at all about even how to investigate this welcome.
This usually happens for me when I am running the page under a different domain from what has been registered in Facebook. Typically this is when I am developing locally.
If you are running locally, you'll have to set up a local web server and then modify your hosts file to point the the registered domain to 127.0.0.1 in order to test on your local machine. Don forget to remove that line from the hosts file when you want to test it on the server.
According to:
https://developers.facebook.com/bugs/240058389381072
You cannot put your application under sandbox mode, or else it won't work. Go into your app settings, advanced, and switch it. This stumped me for a couple hours until I happened upon the bug report.
I had similar problem with FB API. It turned out, that my Facebook App was misconfigured. Please make sure that this is not the case for you. My problem was that my "Site URL" param in FB application was pointing to https, but I was using http protocol for development. Any call against FB api after FB.init was not calling my callback functions. So the first thing to do should be to double check App config.
Now, if some reason you depend on FB api but you wish to have a fallback option in case it;s inoperative - workaround with timer should be ok for you. Just set up a timer and disable it if FB Api gives you proper response. If not - fallback to some custom function which will perform some additional logic.
function callFbApi() {
var timeoutHandler = setTimeout(function() { requestFailed(); }, 1000);
function requestFailed() {
// When this happens, it means that FB API was unresponsive
doSomeFallbackWork();
alert('hey, FB API does not work!');
}
FB.getLoginStatus(function(response) {
clearTimeout(timeoutHandler); // This will clear the timeout in case of proper FB call
doSomeUsualWorkAfterFbReplies();
return false;
}, true);
}
If your application is in sandbox mode, Facebook acts as if your application is invisible to anyone who is not listed as an application developer. If you're not logged in, then it would stand to reason that your app is now invisible.
The callback will only fire if you're initializing with a visible application. Otherwise the following response is returned:
<span>Application Error: There was a problem getting data for the application you requested. The application may not be valid, or there may be a temporary glitch. Please try again later. </span>
For more info please see my comment on this bug ticket:
https://developers.facebook.com/bugs/240058389381072
Maybe you are using the asynchronous call. The same thing happened when I called FB.init with window.fbAsyncInit. All I did was delay the FB.getLoginStatus with a setTimeout function
window.setTimeout(checkLogStatus, 1000);
function checkLogStatus(){
alert("check");
// fetch the status on load
FB.getLoginStatus(handleSessionResponse);
}
It seemed to work after that
On the new version of the Developer app, you have to make sure to have put the correct URL you are using to access the application in the Website field under the
Select how your app integrates with Facebook
section.
Make sure the protocol is HTTPS and not HTTP.
I had a similar problem. The site worked every time when I was opening the browser, but fails when I tried to reload.
The cause was the missing "www" on the site name on Facebook configurations. Note that putting "www" (like www.yoursite.com) works on both situations (yoursite.com or www.yoursite.com).
As others have posted, you must be accessing your site at the same URL that facebook expects. For example if facebook has a callback "example.com" but you're browser has "www.example.com", that can cause this problem.
In addition, if third-party cookies are not allowed by your browser, you may also see this problem. Or you may see the callback erroneously reporting the user is not connected.
Just posting a situation I had were calling FB.getLoginStatus got absolutely no response.
My application is designed to run in a tab, and I only entered the Page Tab URLs on the app admin page, and not the App On Facebook (i.e. Canvas) URLs. The tab loads perfectly, but any calls to the FB JS SDK provoke no response.
In Facebook App Settings, go to Client OAuth Settings, look at Valid OAuth redirect URIs
Make sure you have listed all URIs which are the domains from which Facebook SDK is being invoked. For example:
I develop at localhost:5000 and deploy to Heroku. Notice the format: http://domain.name/