I was wondering what this information means exactly:
October 1: All Canvas apps must process signed_request (fb_sig will be removed) and obtain an SSL certificate (unless you are in Sandbox mode).
Does anybody have more detailed information on what will happen on the 1st october and the tutorial about how we should switch to secure page tab URL? Will all the applications be unaccessible if we don't do this?
Thank you!
facebook will not allow to add a new app that doesn't have a secure tab url (https)
if facebook will remove all old apps that do not have a secure tab url is not known at the moment.
a tutorial is not needed, the only thing you have to do is to provide https to your apps,
in the apps settings.
there are a lot of free ssl certificate providers out there - or maybe your host provides ssl to your webspace.
http://tinyurl.com/3oqxutj
Related
Hello I'm very new to the app side of things.
I need to know (as it state from the 1st of OCT) that you need a secure URL for page apps. Does that mean you must have SSL running https:// or you can just use http://?
Yes, I believe you have to get a SSL Certificate for your App Page.
From the Facebook Developer Blog - Keeping Users Safe:
As an app developer, you can help us by:
Acquiring an SSL Certificate. Contrary to some feedback we’ve heard,
acquiring an SSL certificate is relatively inexpensive, and the
ongoing cost of supporting SSL for most apps is low. The sooner your
app supports HTTPS the more secure our platform will become. All Apps
on Facebook (Canvas and Page Tabs) must support HTTPS by October 1.
Reviewing the Authentication guide and implement OAuth. This updated
authentication guide walks you through the OAuth 2.0 flow and how to
implement OAuth with CSRF protection. Our new OAuth flows provide a
more secure and reliable way to obtain access_tokens than our legacy
authentication flows. All apps must support the new OAuth flows by
September 1.
Here's their Authentication Guide (also linked in their blog post).
I have read that Facebook requires that iframe pages uses secure connections (SSL).
But I am now setting up my first app and there are two fields, one "Canvas URL" and another for "Secure Canvas URL".
Has the Facebook policy changed? Is it possible to use an iframe with an non-secure canvas url?
Secure canvas urls are not required in these scenarios:
The app is in sandbox mode and you are a developer or someone who can view the app in sandbox mode.
The app is public
and the user of your application has not enabled secure browsing on
their Facebook account.
If your app is live (not in sandbox mode) and you want ANYONE to use your app, the you will need to get an SSL certificate for your server and add the secure URL to your app's settings
Here is a blog post from Facebook about the change they made in October 2011 http://developers.facebook.com/blog/post/2011/09/09/platform-updates--operation-developer-love/
Sorry in advance for my bad english:
Fb policy has changed a lot in the last period.
Actually you NEED absolutly 2 canvas urls:
"standard" canvas (simply, link the host where the app/program is
stored)
secure canvas (you need to buy a facebook certificate for your host where app is stored)
Basically the app works if you have and also if you don't have a SSL certificate, but people who have setted a strong app privacy on their fb accounts, aren't able to see your app
(browser displays an error message: "this website is not secure bla bla, ecc")
Yes, you need a SSL certificate, but you can get 1 free cert in startssl.com.
Since FBML apps canvas url(s) are not directly accessible by the end user, I suppose not , but can anyone confirm this ?
Confirm: "An SSL Certificate is required for all Canvas and Page Tab apps (not in Sandbox mode and not FBML)." See here: http://developers.facebook.com/docs/oauth2-https-migration/
Though I am currently getting mixed content warnings in IE and Firefox when using Facebook in https mode and then loading content over http in the app. So users of your app might get kinda bad feeling if you do not serve your content over https.
UPDATE:
Facebook:
"We have heard that there is some confusion about whether FBML apps
must support HTTPS. FBML developers still need to know whether users
are browsing Facebook over a secure connection since they need to
detect whether to serve iframe or video content over HTTPS. As a
result, FBML apps must obtain SSL certificates in order to serve this
type of content to users browsing over a secure connection. If you
have an FBML app, please obtain an SSL certificate for your app to
receive traffic from users browsing Facebook over a secure connection.
If you enable SSL for your FBML app, please make sure that your SSL
certificate includes all intermediate certificates in the chain of
trust as our SSL validation is strict. You can use third-party SSL
analysis tools (e.g., https://www.ssllabs.com/index.html) to check
your certificate status and fix any errors (and warnings). If your SSL
certificate has problems, you may see "Empty response received" error
when you load your FBML canvas app."
https://developers.facebook.com/blog/post/567/
I have been reading the developer blog on Facebook this morning and stumbled across this article saying that all Canvas pages are to use OAuth and SSL.
• an SSL Certificate is required for all Canvas and Page Tab apps (not
in Sandbox mode)
• old, previous versions of our SDKs will stop working, including the
old JavaScript SDK, old iOS SDK
Does this really mean that any application that has been created before this date will stop working? Am I really going to have to buy an SSL certificate for each application?
Yes looks like it. They told developers on 11th May 2011 :
Today, we are announcing an update to our Developer Roadmap that
outlines a plan requiring all sites and apps to migrate to OAuth 2.0,
process the signed_request parameter, and obtain an SSL certificate by
October 1.
Migration to OAuth 2.0 + HTTPS timeline:
July 1: Updates to the PHP and JS SDKs available that use OAuth 2.0
and have new cookie format (without access token). September 1: All
apps must migrate to OAuth 2.0 and expect an encrypted access token.
October 1: All Canvas apps must process signed_request (fb_sig will be
removed) and obtain an SSL certificate (unless you are in Sandbox
mode). This will ensure that users browsing Facebook over HTTPS will
have a great experience over a secure connection. We believe these
changes create better and more secure experiences for users of your
app. A migration plan below outlines the potential impact on your
apps.
From here:
Please Note: An SSL certificate is not required for user
authentication on your site, Likes, Comments or other things. It's
only used if you want to show your site (or parts of it) inside the
Facebook.com domain.
Once your SSL certificate is installed on your site, you'll simply
need to enter your new secure URL into the "Secure Canvas URL" and
"Secure Tab URL". To obtain and install an SSL Certificate, we've
partnered with The SSL Store in order to make the process as smooth as
possible. SSL Certificates that work with Facebook can be purchased
for as little as $11/year (multi-year) or $18 for just one year.
Purchasing a certificate through The SSL Store takes about 10 minutes
and they have a 30-day money back guarantee.
Below are instructions on how to purchase a new SSL certificate for
your site so that you can use the Facebook Page features without any
issue.
It does seem that you need to have one, and not one per app.
So I created a facebook app using iframes, I'm using it as a tab on a facebook page and it works.
But if I use HTTPS, the tab isnt even there.
Anyone know how to fix this?
thanx
Facebook recently enabled the ability for users to set their accounts to use secure browsing (https / ssl). In your application settings > Facebook integration section you now have 2 fields: Secure Canvas URL & Secure Tab URL which in order for your app to work if a user has enable secure browsing, you will need to fill those in. This also requires that the server you are hosting your app on has a valid and configured SSL certificate.
If you are browsing over HTTPS (which is a something a user can now enable in their FB account settings), then the iframe will need to be pulled in over a secure connection too.
This is a known issue (marked as fixed and resolved - http://bugs.developers.facebook.net/show_bug.cgi?id=15200) and, rather than attempting to simply call the same URL over HTTPS, Facebook now provide a separate field under the integration settings for the URL of a secure version of the iframe. If this does not exist, then the tab will not display over HTTPS.
Sergiogx, make sure you filled both fields Canvas Tab URL and Secure Canvas Tab URL. I'm using free facebook page hosting from http://hostfb.com and they also provide SSL support.