Since FBML apps canvas url(s) are not directly accessible by the end user, I suppose not , but can anyone confirm this ?
Confirm: "An SSL Certificate is required for all Canvas and Page Tab apps (not in Sandbox mode and not FBML)." See here: http://developers.facebook.com/docs/oauth2-https-migration/
Though I am currently getting mixed content warnings in IE and Firefox when using Facebook in https mode and then loading content over http in the app. So users of your app might get kinda bad feeling if you do not serve your content over https.
UPDATE:
Facebook:
"We have heard that there is some confusion about whether FBML apps
must support HTTPS. FBML developers still need to know whether users
are browsing Facebook over a secure connection since they need to
detect whether to serve iframe or video content over HTTPS. As a
result, FBML apps must obtain SSL certificates in order to serve this
type of content to users browsing over a secure connection. If you
have an FBML app, please obtain an SSL certificate for your app to
receive traffic from users browsing Facebook over a secure connection.
If you enable SSL for your FBML app, please make sure that your SSL
certificate includes all intermediate certificates in the chain of
trust as our SSL validation is strict. You can use third-party SSL
analysis tools (e.g., https://www.ssllabs.com/index.html) to check
your certificate status and fix any errors (and warnings). If your SSL
certificate has problems, you may see "Empty response received" error
when you load your FBML canvas app."
https://developers.facebook.com/blog/post/567/
Related
The site that I am embedding for my app on Facebook is SSL enabled and hitting the https page on a normal browser brings up the site as expected. For now, my SSL certs are self-signed.
However, when I try to run the app on Facebook, it fails to load the page. There are no errors except the image below. Mouseover on the icon shows a "NULL":
So my question is, does this have to do with the fact that my SSL certs are self-signed? Or is there some other reason for this?
Also, I am not able to check if the non-secure page (http) works on the app as Facebook does not allow me to switch off my secure browsing mode.
After obtaining commercial SSL certs, it now works. So I guess any SSL certs that result in a browser prompt asking the user to continue would not work in an embedded canvas on Facebook.
I have a Facebook application, and my host have selfsigned certificate. Usually thats not a problem, because my browsers used Canvas URL (with http), and everything worked fine. But some other browsers requires Secure Canvas URL (with https), and throw an exception if Secure Canvas URL is empty, or if my host has incorrect certificate.
So how the browser/Facebook decides when to use Canvas URL, and when Secure Canvas URL? Can I make them use Canvas URL only, without https?
If I'm correct applications have a setting like "October 2011" or something (I'll try to verify that for you). Maybe if you disable that one you can use http. The idea behind this implementation was to put every new applications on https.
Now I can understand for development purposes you want to try without https. Not every browser acts the same way with self-signed certificates (Chrome <-> FF).
In a business environment I strongly suggest you have a valid certificate.
EDIT : possible duplicate of your question http://facebook.stackoverflow.com/questions/7308348/facebook-canvas-apps-https-and-http
EDIT 2 : Apps on Facebook Authentication and Security Migration (HTTPS)
All Canvas and Page tab apps must convert to process signed_request (fb_sig will be removed) and obtain an SSL certificate for use in "Secure Canvas URL" and "Secure Page Tab URL" (unless you are in Sandbox mode). You must provide an SSL certificate in the Dev App settings to avoid having your app disabled.
So ... are you in sandbox mode?
I'm using a self generated SSL certificate on my localhost IIS and pointed my facebook sercure Iframe app URL to https:\localhost but just get a blank page.
when browsing to it not within FB, it gives me the cert warning and then after i add it as an exception, it goes through to the site fine.
using http:\localhost for the non-secure url works fine
any ideas why i'm getting the blank page?
As I know FB checks your certificate and if it not valid it just wont load your app in the iframe. You can try this service that seams to be intended to exactly this kind of problems: http://www.social-server.com/.
Don't stress if you can't afford an SSL certificate for Facebook's SSL migration...
...Use this FREE service to adapt your Facebook pages so that it's viewable over an HTTPS connection.
I have a Facebook page, but I dont have a SSL with me, so its always with the HTTP connection. So when I open the App Page (Canvas), I get an error within the iFrame Error 501 (net::ERR_INSECURE_RESPONSE): Unknown error. which is obvious due to the FB calling for HTTPS version of the page. But I noticed that some pages ask for "Switch to Regular HTTP Connection" to view the page. I was wondering how to do that, I googled a lot but couldn't find the relevant information.
Thanks
Do you have a url set for https on your app's settings page? You should leave it blank if you don't have a valid SSL page yet, and then it should give you the prompt to switch to regular http. However, you will want to get an SSL certificate soon as Facebook is recommending users switch to always-on SSL and at some point SSL may be the only option.
"Switch to Regular HTTP Connection" is limited to admins (at least without so many scary warnings) so it's important that you get an SSL connection running if you're going to have an app on FB now.
I've recently Discovered the following error because the SSL was expired.
This webpage is not available
The webpage at https://example.com/facebook/ might be temporarily down or it may have moved permanently to a new web address.
Error 501 (net::ERR_INSECURE_RESPONSE): Unknown error.
Renewed the SSL and all fixed
i am making a facebook tab which using iframe to show the tab content from other url. Everything work fine but when users use secure http connection (https) the tab no longer loads and shows error saying page not secure.
The pages that the iframe showing is not using ssl. Do i need to have a ssl to show the page in secure connection or i have to change some setting in facebook?
You will need to buy an SSL certificate, make sure it is properly installed on your server, and make sure your the page is properly working over SSL (no warnings). Once this is setup, plug the SSL url of your page onto your fan page tab application settings, and it will work. You will want to do this as Facebook is continually encouraging users to enable the always-on SSL option on their account, and at some point SSL may be the only option on Facebook and they probably won't give you much of a warning to enable it.
for now it's an option to have ssl certificate but starting from October the first, it will be required
i have set up my application, it works well for almost all browsers except google chrome, it seems to have a warning about my secure url of the ifram and doesnt load it, the only way i could work around it is visiting the actual url of the iframe, confirmed the ssl warning, then went back to the application on fb, so it finally worked
lousy solution i know, but there was nothing else i could do