I have an issue with my Facebook app when the user uses Internet Explorer.
My app is loaded in iFrame as Canvas Page.
Cookies and Session are lost after post back. It doesn't happen of Firefox at all,
and it doesn't happen on IE if I open my app outside of Facebook, meaning, using the direct URL.
My app is Asp.net C# app but it shouldn't really matter.
I think the issue is larger than a Facebook issue... any website loaded in iFrame using cookies/session is prevented by IE from keeping cookies/session, but is there a way by Facebook to overcome this? I must use sessions in my app, not just to save the reauthentication again and again but for other things too.
Please assist me.
Thanks!
most likely you need to implement P3P headers in your app, see the following for more details:
http://forum.developers.facebook.net/viewtopic.php?id=452
Related
the title pretty much sums it up. Is it possible to establish a connection with facebook using flash AS3 "only", without having to work with Javascript, html, iframes or any other externals.
The reason is a simple game I was making for android using AdobeAir that connects with facebook for leaderboard purposes. Works quite well, ofcourse with AdobeAir you get the flash internal webview and ANEs to help with the facebook communication. But outside AdobeAir, as a simple web-aimed swf file you dont.
Since I was hoping to make a web-version of the game and upload it to game-hosters, I was wondering if there is a way to make a connection and wrap it up in a single swf file, since thats what these sites want for upload.
Hopes are slim, yet I would appreciate any help on this!
You need some kind of web interface to load the authorisation dialogue from Facebook. This is a popup with content running within Facebook itself, if the user then authorises your app Facebook will send a callback where you can get the access_token.
This is explained rather rudimental, the point being is that the authorisation is on Facebook ends, this is the security. In AIR you use StageWebView, in a browser you load the authorisation URL in a popup, this is implemented in the Javascript SDK for you.
You can put a button in Flash, use ExternalInterface to call methods in the Javascript SDK and send the access_token back as a callback. If you have the access_token you can use AS3 to make API calls with it in the form of HTTP requests.
Is your application a Facebook App? If your SWF is running inside the Facebook Canvas, of course it is more convenient to get the login information directly through official Javascript SDK, but if you want, this may help you. https://code.google.com/p/facebook-actionscript-api/
Any request you can write in JS, you can code in AS3 also. I don't see any problems, since FaceBook has 100% documented API.
I want to open my small platform to developers, so they can build applications that could be inserted in our site as iframe. Similar as facebook is doing, but no, I am not trying to build another Facebook:). From what I understand developers can build facebook application using iframe.
Question: I am wondering how is about security from facebook user perspective. How Facebook prevent that application developer doesn't put malware javascript code inside iframe. I haven't noticed any automatically mechanism that prevent including something like that in iframe.
tnx
No, this is not a problem at all, I think you are worrying for nothing.
There are no security issues that you need to worry about yourself, the loaded page in the iframe is sandboxed, and is "guarded" by the browser.
The two iframes can't even communicate with one another since they are not sharing the same domain, and modern browsers will block any attempt to execute javascript code in another frame if the two frames have different domain.
The thing that facebook did was to workaround that problem, each iframe app in facebook loads the facebook javascript sdk which then enables the nested iframe to make requests to facebook and be notified (by callbacks) when the data returns.
As for "malware javascript code inside iframe to attack user computer via browser", the iframe has the same exact security policies enforced by the browser as any other browser page, if someone manages to somehow bypass those policies then it has little difference where it's loaded, and facebook are not enforcing any other security measures.
The only thing you need to worry about is that scripts inside the iframe will be able to access your scripts and/or dom, which should not happen unless you create a machnism which will let them (somehow bypass the cross-domain policy).
I have installed the vBulletin Facebook app for a client, and am trying to link the app page from within the sidebar on the Fan Page for the site. However, the page returned upon clicking the link is blank. I think this may be a fault on vBulletin's side (which sadly has little to no debugging facilities that I can see), possibly the referrer does not match the App URL. Has anybody come across this problem before?
Any possible workarounds via Facebook? I have tried setting the Page URL to the apps.facebook.com URL but it didn't work and through a search I've found that it's not the right approach anyway.
Edit: I have also tried iframe within an iframe, like setting the page url to a page and having an iframe in that one. It didn't work, but then again it's fairly obvious why it didn't. The last resort I think would be to see if I could reverse engineer the vBulletin code to ignore referrers or allow a different one (if it's even the problem).
Double edit: Perhaps just a way to send a link off to a new window via the app tab??
Thanks
Is it coming from an SSL site? I think now all fan pages have to come from an SSL site or they will error out. -Buddy
I'm building an iPhone app that has some social features. I've managed to get the user to log-in to Facebook within my application.
I've also implemented a webview that loads a facebook iPhone-optimized page. What I now want to do is my user to be logged-in within the webview without having to log-in twice (once in the app and once in the webview)
I've tried a few things playing around with the access_token in the URL but it didn't work.
Does anyone know if it is possible to implement that and how to do it?
Thanks in advance for your help
Short answer: You're probably not supposed to be able to do that.
The idea is that your app should only store an authentication token that lets you do stuff as your app (e.g. post to the wall as your app). On the web version, the user is logged in to facebook and facebook additionally passes an authentication token to your website; on the iOS version, I think you never get the Facebook session cookie, and I'm pretty sure you need the Facebook session cookie to be logged in to the web side of things (especially since it's designed for the browser — logging out of Facebook logs you out of Facebook Connect on all sites).
There are loads of things you can do to work around this — it's trivial to just ask the user for a username/password (and the whole idea of a "trusted UI" inside a UIWebView inside your app is flawed, despite Facebook's claims).
The "right" thing to do is to implement everything using calls to the iOS SDK so you don't have to bother with the web side of things.
were you testing your app on the simulator or on the device? The reason i ask is because im trying to get the app to stayed logged into fb which it does, sorta...it still pops a fb dialog saying it logged in fine and the user has to click on an OK button.
I havent had time to test it on the device but i think it may have to do with the fact that with the OAuth 2.0, with 3.2.x or >...if the fb is installed, it uses the fb-app login but if its not installed it uses the safari web login.
Since simulator doesnt have the fb app installed, it actually uses the safari web login (i humbly deduced) which would otherwise store a cookie and maybe it doesnt do so on the simulator..dunno, im still looking for the answer on that one :)
I have been using single sign on authentication for my facebook canvas iframe app.
It works fine on IE, Firefox, Chrome(all latest). But doesn't work on Safari 5.
I know safari doesn't allow cross-domain cookies, and that's the reason it's not working. Facebook sets cookie for my app's domain that I can use as single sign on mechanism.
If I go to Safari's Preferences and set to allow cookies always and not only for sites I have visited, the entire app works fine. But, I don't expect every single safari user of my app to be doing that.
Has any one got this working? I tried using couple of other apps, and they seem to work but not sure if they use single sign on approach to authentication, which is actually recommended by facebook documentation. Do you think I should be using another approach that can fix it for me?
Info: I'm using ASP .NET MVC 2
Thanks
This worked pretty well for me.. http://forum.developers.facebook.net/viewtopic.php?pid=257432#p257432