With Facebook requiring a secure URL for Canvas applications on October 1st, what will happen to legacy applications that have no URL specified for the Secure Canvas URL? Will they continue to load over HTTP and fail over HTTPS?
Suppose an application has URLs specified for the Canvas, Page Tab, and Secure Page Tab, but no URL specified for the Secure Canvas.. will these applications continue to function, or will they be blocked entirely because they lack a secure URL for the Canvas?
use simple bit.ly address in your canvas url.... it works
Well the applications without secure connection (https) are still working. Today is October 05 and I'm not seeing any sort of change in my apps. They are working nicely and people have access.
ye unfortunately the entire app will be blocked, well that's what im reading around the web anyways.
AFAIK you need your secure URL to have some location URL for it to function.
And now i see Facebook has added a message for users to enable secure browsing when u login. so even more so no to get a secure link than ever.
If you are struggling try out http://social-server.com. Instead of buying a SSL certificate it does the same thing for free and its instant!
Applications will enter a new 'disabled' mode, similar to sandbox, until Secure Callback URL is set.
Come October 1st as the dev pages states on facebook you will be required to have a secure url. I just picked up a cheap SSL cert from godaddy for like 16 bucks for a year. i do not know if they still have the deal going on, but it definitively worth checking. Once the cert is installed on your server, you do not need to migrate anything, the whole process took like 2 hours most of which was waiting on godaddy.
Just researching this issue; I don't have an ssl cert and when I try to access my app as a Facebook app I get:
I think no ssl is the cause so looks like i need to buy one :(
I have come up with an interesting hack for this problem.
You can create a HTML file that is accessible over HTTPS that just redirects to your webpage. For example, you can use dropbox. Since Facebook loads your secure canvas URL page in an iframe, your code needs to redirect the top page. Something like this.
<html>
<head>
<script>
function onLoad() {
window.top.location.href=’<your website>’;
}
</script>
</head>
<body onload=”onLoad()”>
<p>Please wait while you are being redirected to <your website name>…</p>
</body>
</html>
And provide this link as the secure canvas URL. I blogged about this in more detail - http://blog.almabase.com/post/84579042935/interesting-hack-for-facebook-secure-canvas-url
Related
after searching the web for a while, I am still not able to find the correct solution to my problem; How to make sure the browser is redirected to the https app url. Since the canvas app is an iframe, we don't have access to change the window.top.location to the https equivalent.
If the visitor comes to
http://apps.facebook.com/app_name/
I want him redirected to
https://apps.facebook.com/app_name/
Totally unable to fix it with javascript in the app loaded in the canvas since top.location is impossible to tamper with due to cross-domain origin rules. It could have been fixed easily with a redirect rule implemented by Facebook, and I am surprised it's not a checkbox in the Facebook app setup to enforce SSL. We do not want our game to be accessible over http.
I have tested to set both Canvas URL and Secure Canvas URL to point to the https url, but that gives this error (cross-domain trouble): Unsafe JavaScript attempt to access frame with URL http://apps.facebook.com/app_name/ from frame with URL https://s-static.ak.facebook.com/
Please advice.
Ok, so it is possible to redirect the top window. I must have had a typo when I tested it the first time. This tiny script does the trick:
<script>
if ( window.location.protocol == 'http:' ) {
window.top.location = 'https://apps.facebook.com/app_name/';
}
</script>
However, I still don't understand why this isn't an option in the app setup on Facebook. It would have been a lot more efficient and user friendly with a server side redirect rule.
For some reason my application has decided to stop loading page tabs when using HTTPS. I do use SSL certificate on my server, the Facebook canvas page even loads using HTTPS;
https://apps.facebook.com/myflashstore
But the Page tab only loads using HTTP even though for a long time it was working with HTTPS just fine.
http://www.facebook.com/trubeats/app_79482449955
https://www.facebook.com/trubeats/app_79482449955
In the app settings, the Secure Page Tab URL is the same as the Page Tab URL so there shouldn't be an issue. Anyone have any ideas? Help is much appreciated
I found the solution. The Secure Page Tab URL was a relative URL, relative to my Canvas URL - while it worked fine ever since I made the app, and worked fine for HTTP requests, for some reason the Secure Page Tab URL now wanted a full URL. Thanks Facebook for continually changing things...makes life much easier for us!
There is a problem with Facebook applications/page tabs and Chrome/Internet Explorer users that have checked "secure browsing" setting in their profile but not only.
Problem rises when facebook opens our app by https protocol. Let's assume that we have app and all our resourcess accessbile by https. When user visits our app, everything working but not iframe/JS widgets, provided by external sites without SSL like some counters, instant messaging widget etc.
What to do if the page where widget comes from doesn't let us to generate ssl-version code, and also just changing http to https doesn't work because of lack of certificates/ssl enabled etc ?
TripAdvisor widget
The answer is : replace this script tag with TripAdvisor script
This :
<script src="http://www.jscache.com/wejs?wtype=sswidecollectreview&uniq=612&locationId=1480219&lang=en_US&border=true"></script>
To This tag from TripAdvisor Script
<script src="https://www.tripadvisor.com/WidgetEmbed-sswidecollectreview?uniq=831&locationId=308116&border=true&lang=en_US"></script>
and add [ S ] character to link for images [https] like this :
<a target="_blank" href="http://www.tripadvisor.com/"><img src="https://www.tripadvisor.com/img/cdsi/img2/branding/medium-logo-12097-2.png" alt="TripAdvisor"/></a>
To This :
<a target="_blank" href="http://www.tripadvisor.com/"><img src="https://www.tripadvisor.com/img/cdsi/img2/branding/medium-logo-12097-2.png" alt="TripAdvisor"/></a>
its work ...
Basically what the "padlock"/SSL indicator in the browser indicates is that the whole page is secure.
That means, no insecure content is included on the page without explicit warning by the browser that that is the case.
There may be browser specific workarounds (aka bugs), but relying on them for your page to work is not a good idea.
The best "workaround" is likely to just contact the people hosting the widgets and inform them about your problem, or if possible just plain hosting the widgets on your own secure site.
Problem
I have an application driving a tab on a client's page. The application works correctly if the user has not enabled FB's "secure browsing" feature. If attempting to view over HTTPS, the iframe doesn't even appear (no errors, no mixed-content warnings). When correctly loading over HTTP, the div with the id "pagelet_app_runner" has an iframe inserted into it and the application content is loaded inside there. Over HTTPS, this div remains empty and the iframe is not inserted into the page. There are no Javascript errors appearing in Firebug or Chrome's equivalent console.
Why I'm Asking Here
The host has a valid SSL certificate and there is no 'mixed content' at the URL in question. I can successfully view the content over HTTP or HTTPS by visiting the URL directly, and I can do the same by visiting apps.facebook.com/canvasURL/tabURL. It is only when attempting to view within a Page Tab that the HTTPS load fails as described above. My application is configured with both regular and secure canvas and tab URLs.
Attempted Debugging
I've recorded some sessions with Charles but since the iframe isn't being inserted into the page, I think I'm coming at the problem after it's already occured. I'm no Charles expert so happy to be corrected here.
Apache isn't seeing any request (in either regular or ssl logs) for the affected loads. non-SSL loads come through as expected in access_log.
Plea for Help
I'm out of ideas for debugging this. Does anybody have any suggestions? What really obvious and stupid mistake might I have made? :)
edit: nicer formatting
Your app canvas URL is https://skinnycomp.nextstudio.com.au/skinnycowcomps/ , which send 404 error to Facebook proxy (request is going through proxy when viewing app via tab), also when viewing your app via apps (https://apps.facebook.com/122381834451561/), again 404... maybe Facebook proxy is ignoring 404 and posting blank...
Try changing canvas URL to https://skinnycomp.nextstudio.com.au/skinnycowcomps/tab, also you can check if your app is accessed via page tab, in signed_request there should be page_id...
23:51:15.379[549ms][total 1667ms] Status: 404[Not Found]
GET https://skinnycomp.nextstudio.com.au/skinnycowcomps/
This is a real longshot since I'm sure you've triple checked all the settings, but the blank page can happen if an invalid url is specified in the Page Tab URL field in the app settings. Since it only happens on https, it would imply something specifically with the Secure Page Tab URL entry. It might be worth checking that again, and maybe even re-saving it or changing it to something else to see if it helps.
I was using relative URLs for the regular and secure tab URL fields. From memory relative URLs here were mandatory at some point in the past. It appears now that a relative URL will still work for HTTP but not for HTTPs. Fix: absolute URLs. Hopefully FB update their field validation to match what's required too.
Since FB is requiring all iframed apps to be hosted under SSL come October 1st, how will this affect people like me who have apps that iframe content from non-SSL domains?
For example:
My app domain is: https://myfbapp.com/appfolder
In my index.php file in my /appfolder, I have images and iframed sites that aren't SSL. For example, I might have a couple of images embedded on my site that are from tinypic. Since they use a non-SSL format for their pictures, what would happen?
This question applies to all non-SSL content being embedded or iframed on your SSL enabled app domain/folder.
I believe Facebook will just be checking for the ssl cert. However, your browser may complain about the mixture of secure and unsecure items when then they are served in this way.
Hey i hope this link help you
Facebook Secure Browsing (HTTPS), iFrame Tabs & Mixed Content Warnings
*Files that MUST Be HTTPS to Avoid the Mixed Secure and Nonsecure Content Warning:
Images — <img /> tag;
External CSS (.css) and JavaScript (.js) files
or put the images in same directory appfolder and relative link.