Getting blank signed request from facebook in ie only - facebook

When I deploy my facebook app to a remote dev I seem to get a blank signed request returned but only in IE, any ideas on if this is a known IE bug?

Yup, this happens because of p3p policy and how internet explorer behaves with that. You can fix it by sending the following header data in your web application.
P3P: CP="CAO PSA OUR HONK"
You can find a detailed post on this in the following URL
http://hasin.wordpress.com/2011/09/30/story-about-blue-e-iframed-web-application-wastage-of-6-hours-and/
Hope it will help.

Related

Post Inspector (520 error), and how to debug?

When I try to validate social sharing tags using Linked in Post Inspector I get the following error for any page I submit, but no other information, it gives no clue as to what is wrong:
I found this post:
LinkedIn post inspector encountering server error on https URL
which says there are known issues with the Post Inspector, that post is over a year old is there really no update from Linked In on this?
I also found this:
Validating link in post-inspector linkedin in gives server error
I checked the certificate here:
https://www.sslshopper.com/ssl-checker.html
which reported that the hostname is correctly listed in the certificate.
Any advice on debugging this would be very welcome.
The 520 error seems to be related to Cloudflare, so this is possibly an issue with headers related to SSL - Cloudflare, certificate origin maybe?
I fixed it, finally.
I added the following changes to the web server config (as suggested by Cloudflare support):
limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
limit_req zone=one burst=5
But this on it's own did not fix the issue, I also added some Cloud Flare Page Rules (which have sped up page loading), which did seem to fix the issue.
A final update from Cloudflare support is that the Page Rules would have reduced the number/size of cookies and so fixed the issue.

How to check my page is from 302 redirect?

I found that anybody show their page to user, then 302 redirect to my site,
I want stop it.
I thought there would be referer in request header, but didn't!
I tested this in chrome72.0.3626.121 and ie11, and use fiddler to catch Request,
there have no referer header in all request.
And my server side code can't see referer too.
How can I stop 302 redirect to my site??
It's possible these days for sites to disable adding a referrer when a user follows a link. This is a privacy feature.
The result of sites using this feature is that you can't tell if:
A) A user opened your site directly from the addressbar
B) A user came to your site from somewhere else.
If you could tell the difference, it means the privacy feature is not working. Your only option is to block anyone with no referrer header, but then you might block a lot of other users as well.
There is one other common reason for this though, if you are running an insecure (http) site and you are being linked from secure (https://) site. It might be possible to get the referrer back in this case by upgrading your site to https.

Encrypted site and header location redirect

I have recently encrypted a site for a client and am finding some people get insecure site warning in Chrome with the triangle icon.
My major problem tho is that the contact form php processor has a:
header('location:https://www.bioloo.co.nz/index.php/thanks');
but viewers get the warning instead of to the Thank You page. My webhost reports the certificate is valid and all absolute urls are set properly.
Do I have to set a no-cache tag?
Any ideas please?

Facebook App Not Displayed Insecure Content Message In Chrome

I've been trying to get to bottom of this problem for a few hours but I can't seem to fix it, I've seen other questions similar to this and tried to use those to implement a fix for my problem but to no avail.
I've built a facebook contest canvas app which displays fine independantely but when I link it to a facebook page (as a link to a new contest) chrome no longer displays is and gives the following warning:
The page at 'https://www.facebook.com/contest/app_xxxxxxxx' was loaded over HTTPS, but ran insecure content from 'http://mydomain.com/': this content should also be loaded over HTTPS.
I've learned partly by trawling this site that the chrome security is fussier, and the app loads correctly, without errors in FireFox and IE but I can't find any resources that are loaded from a non https source.
I have been through with firebug checking in the net tab and checked that all of the loaded resources are using https (the png images, the jpg images, the css files and the jquery js files which are all hosted on the same server that has the certificate), I have even tried hosting the transitional dtd doc itself but nothing seems to make the warning go away and the app display correctly.
In the other similar questions it seems that there are either resources sourced from non-https sources or there are ssl switches used in the javascript library for facebook passed before the fb init.
The problem is that I am using only the php sdk not the js one (although I am using version 1.9 of jquery, hosted on my server) and I could find no similar ssl specific settings there.
If someone could give me a tip about how I could investigate further, what I might be missing or is familiar with this issue I'd be interested to hear about it.
Thanks a lot.
David
Facebook requires the app to come from https:// you need an ssl certificate on your server and to enable ssl. in the Facebook app settings change secure url to https://mydomain.com url
I did have a similar issue recently (but it only caused issues on IE10) and I resolved that by adding P3P header
header('P3P:CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT');
Found the solution!
In the facebook app settings, if the page tab url is specific to a page e.g. https://www.mydomain.com/index.php, chrome doesn't complain with the insecure content message but if you reference a directory the error is propogated. I found this confusing since the 'canvas' urls need to be directories.
I hope this answer will save someone a few hours! :)

security warning in IE9 "Show all content"

I'm implementing the facebook Comments plugin on my site. Users get the warning "Show all content" in IE9
This other publisher using the same plugin and it does not bring up the warning.
Can some please help me with this?
Asking users to turn of the mixed content warning in their IE9 is not an option.
We were just looking at this today and our workaround for now was to include the Facebook Library over https (even when the page itself is viewed over http). Although not ideal it gets rid of the mixed content warnings in IE9 until they have fixed their bug.
That seems to be how it was accomplished at www.vg.no linked in the original question, the library is linked via https.
From their code:
<script src="https://connect.facebook.net/nb_NO/all.js"></script>
I have the same problem:
I have a page that's 100% http. But, the facebook javascript (which I call over http), is returning assets (.js, images) over https, which is generating security warnings for IE(9) users.
I have figured out it's the comment widget from Facebook (
Here's an example of a live page on http: with the error:
http://app.gophoto.com/p?id=10173&rkey=CD01891B287792415384&s=1&a=6940
Here's one of the assets that Facebook returns over HTTPS
https://s-static.ak.facebook.com/rsrc.php/v1/y8/r/7Htnnss1mJY.js
(I'm unable to comment (for some reason?) on Joel's answer. But, his suggestion to fetch the initial all.js over https on http sites does not actually work. I've tried it, and it also inherently looks incorrect since even the initial js fetch violates the mixing up of http & https content.)