I noticed a site that offers a free secure adaptor for page tab apps.
Looking at the source code, I saw that the adaptor was basically an iframe running my old insecure url inside a html file hosted on a secure server.
Is such a solution going to last for Facebook?
From what I read about SSL, this doesn't seem entirely legit and I wouldn't want to start using such a service and then discover that in a month or two Facebook will block these practices or that this sort of "secure" page will generate all sort of browser warnings
I don't really deal with Facebook data (except for signed_request and app_data), my app requires no permissions and no data from the user, so I won't need to interact with Facebook in my secure version, other than asking for the signed_request and possibly app data
Wouldn't you still have a mixed content warning if the initial content is loaded over HTTPS and your original page is loaded over HTTP in an iframe?
Unless I'm missing something here, this solution is only going to solve the 'Facebook says i need a secure URL' problem, not 'Facebook says i need a secure URL so people can access my app over HTTPS without problems'
Related
I recently made a iframe app/page for my FB fan page with woobox. I have 100% SSL hosting, however, a lot of users are saying that they are unable to load this iframe site. Everything works 100% for me and many other visitors, but some are saying that page displays some server connection error. Any ideas? Manye I need to include some FB scripts in order for iframe page to work 100%?
When I load the app with this iframe, connection is secure so SSL shouldnt be the prob. I did however get very cheap SSL, can this be the problem?
Likely what is happening is that while your Facebook connection is secure, the contest in the iframe is still pointing at the http:// version of your page and not the https:// version. Most static iframe apps aren't smart enough to check this, so they serve insecure content on a secure page.
The majority of browsers will be fine with this, but some people might have their browser security settings tweaked a little bit differently and that's probably where you're seeing people unable to access your frame content.
An easy solution is to just have the static iframe app ALWAYS direct to your https:// content, that way, what you're serving is secure whether or not the user is browsing facebook on http:// or https://
I'm working on an iframe style app that pulls the facebook optimized page available at http://store.starrco.com/?store_mode=facebook. I've done other, admittedly much simpler, iframe apps before without issue but though I've configured this one more or less the same when I try to view the canvas url it remains blank.
My settings can be seen here: http://www.abstraktmg.com/clients/starrco/starrcofbsettings.jpg
I've tried a few different permutations of this with the same results, this is the most complete setup though and most closely matches the settings template I was given.
This page is being generated by Webasyst's shop-script, which is specifically supposed to support this. The obvious answer then is to contact their support which I did, but after assuring them that my app settings matched their template, they said I needed to contact Facebook support and this is as close as I could find to any proper support system.
I checked both http and https versions of store.starrco.com/?store_mode=facebook and both worked outside of facebook.
However, there may be some framebusting code which might prevent the site from being loaded in an iframe. And I see that your settings appear to be missing the app domain entry.
I ran into the same problem, especially in Chrome and Firefox. The problem is, when the user is surfing with https on Facebook, the https Version of the iframe is called. But the browser do not show invalid certificate problems until you to right click page information.
You need to have a signed SSL cert by a CA trusted in the browser.
If the user has accepted it without the iframe - outside of Facebook, it works.
I am trying to use the Facebook javascript sdk for my chrome extension. Since it is a chrome extension how do i integrate it with facebook? is it an app on facebook.com or a website?
Currently i have it as a website.
my site url on the settings is:
http://localhost/Users/home/Documents/facebook/
i have also enabled web sharing on my mac.
do i need to set the site domain as well? what am i doing wrong here?
Enter http://localhost/Users/home/Documents/facebook/ as your "Site Domain" on the developer app:
https://developers.facebook.com/apps/{api_key}/summary
Replace {api_key} with yours; or find a link at https://developers.facebook.com
Interestingly enough, Facebook lets you type anything into the domain so it can be an offline URL (such as localhost or a local port) and Facebook will redirect to it after authentication.
You can test Facebook applications locally if you add an entry to your hosts file which points to any subdomain of the root domain you gave Facebook. For example, if your domain is example.com, you can add entry to your hosts file pointing fbtest.example.com to localhost (127.0.0.1).
You can then test away locally without having to edit your Facebook app configuration (assuming your local server is set to serve the same content to all subdomains).
Alternatively, if it's important to have the exact domain, you can just add an entry for the root domain. It just means you won't be able to access the live site while testing.
In order to develop and publish a Facebook application, you must provide a web accessible URL that Facebook can query. If you have webspace you can upload to or make your IP available to the web for Facebook to call, it should solve your problems.
Facebook will allow you to put just about any valid url into the box, however when you go to use it for logins or general use, you will begin to notice errors, since Facebook's spider cannot fetch the url.
Check the 'Desktop Apps' section of https://developers.facebook.com/docs/authentication/
This explains how to do authentication where there's no server involved, it's aimed at desktop apps but a browser toolbar should work in a similar way
So I created a facebook app using iframes, I'm using it as a tab on a facebook page and it works.
But if I use HTTPS, the tab isnt even there.
Anyone know how to fix this?
thanx
Facebook recently enabled the ability for users to set their accounts to use secure browsing (https / ssl). In your application settings > Facebook integration section you now have 2 fields: Secure Canvas URL & Secure Tab URL which in order for your app to work if a user has enable secure browsing, you will need to fill those in. This also requires that the server you are hosting your app on has a valid and configured SSL certificate.
If you are browsing over HTTPS (which is a something a user can now enable in their FB account settings), then the iframe will need to be pulled in over a secure connection too.
This is a known issue (marked as fixed and resolved - http://bugs.developers.facebook.net/show_bug.cgi?id=15200) and, rather than attempting to simply call the same URL over HTTPS, Facebook now provide a separate field under the integration settings for the URL of a secure version of the iframe. If this does not exist, then the tab will not display over HTTPS.
Sergiogx, make sure you filled both fields Canvas Tab URL and Secure Canvas Tab URL. I'm using free facebook page hosting from http://hostfb.com and they also provide SSL support.
For a middleware system with internet (which works inside a set-top box) I want to develop a primitive Facebook interface where users can type their user-names and password, showing their latest notification, messages and other casual stuff on the TV screen by using the recent Facebook Graph API.
This middleware program uses Java ME to run programs (such as this simple facebook app) and it can connect to internet however it doesn't have a real web browser. Without browser it can connect to any url to retrieve the JSON response however I am not sure how to achieve authentication without a real browser.
Under this circumstances, is it possible Facebook authentication? If you think so, what approach would you suggest ?
Thanks
Facebook provides trusted partners with a private Authorization API to get an OAuth 2 token from a username / password.
A more complicated approach would be doing something similar to how Netflix enrolls a device:
device calls server to obtain a Code
device shows code on screen and directs user to go to URL on server and enter Code
server redirects user to Facebook and obtains OAuth token, user told to go back to device
device calls server with Code and obtains OAuth token
device can now make calls directly on behalf of user
According to this documentation on "Desktop Application Authentication" I don't believe your desired result is possible:
Facebook's OAuth implementation does not include explicit desktop application support. However, if your desktop application can embed a Web browser, you can add Facebook support to your application easily using the same OAuth User-Agent Flow used by JavaScript clients.
However, it is clearly possible for certain vendors to do this, since Microsoft's Xbox 360 Facebook application does exactly what you are proposing. I'd be interested to see if anyone has dug up any API for doing this that Facebook doesn't want in their most obvious documentation.
This isn't an answer but I'm trying to do the same thing. Check out this guy's blog which uses another server to proxy the requests:
cory wiles blog
If you figure it out please post a detailed answer here so I can do it to.. :)
I think it is possible though it is pretty complicated and subject to sudden changes of Facebook interface. It might break the agreement between you and Facebook.
What you do is to emulate the Facebook.
One path you have to set up a Facebook application. Once you got the authorisation from user, you can to something with Graph API.
You need to the Facebook log-in process and authorisation process. There are some capturing tools on http/https request and response. Analyse them, both header and body.
Once you know the authorisation mechanism, you can replace it with you own. Everything afterward is on Graph API.
Another path is to emulate Facebook login and message and notification process. Capturing and analysis is needed.
In the past I have used a tool called screen-scraper (full disclosure: I used to work there) to automate logging in to facebook. Basically, it imitates a browser session; it allows you to set session variables (i.e. username, password) which would then be submitted to facebook, just as if the user had submitted them in a browser.
You may not be able to use screen-scraper in your set-top box environment (although it is java-based, so it's possible it would work). Even if it doesn't, you could implement a similar strategy in java, making the HTTP calls a browser would make to load the login page and submit the user's credentials. To keep the user's info safe make sure whatever HTTP client library you use supports HTTPS.
Proxy tools and extensions like Charles, Fiddler2, Firebug, Chrome's dev tools, etc. are helpful in seeing exactly what the browser is sending to the server in requests.