Is there a way to run an HTTP*S* application as IFrame facebook app? if not, how can i prevent replay attacks and make sure that the content passed between the browser and the server is not captured.
Also, is it possible to have Ajax calls to the server going over secure channel?
Thanks,
Pomponius.
All you need to do is set your canvas URL to an https url. However, you are going to run into a number issues such as the Facebook Javascript SDK is not hosted on https. Also, you should be aware that Facebook itself is susceptible to relay attacks so you aren't really going to be able to fully mitigate the problem. As far as making AJAX calls to your server you have complete control over that so as long as your client side javascript and your server support this then it won't be a problem.
Related
I built an app for facebook on my system and then planned to move it into shortstack so I could easily publish it to Facebook. Unfortunately, while everything loads correctly in shortstack, nothing loads on the Facebook page. I think this is due to mixing HTTP and HTTPS but I've never had my browser complain about this before so Im not sure what to do.
How can I either A) circumvent Facebooks HTTPS requirement so that my iframes load
or B) determine a different root cause of this problem?
facebook apps must be served using HTTPS (unless they are in sandbox mode). That means you must get SSL certificate. You can get one for free from http://StartSSL.com for example - i have had only positive experience with them.
I recently made a iframe app/page for my FB fan page with woobox. I have 100% SSL hosting, however, a lot of users are saying that they are unable to load this iframe site. Everything works 100% for me and many other visitors, but some are saying that page displays some server connection error. Any ideas? Manye I need to include some FB scripts in order for iframe page to work 100%?
When I load the app with this iframe, connection is secure so SSL shouldnt be the prob. I did however get very cheap SSL, can this be the problem?
Likely what is happening is that while your Facebook connection is secure, the contest in the iframe is still pointing at the http:// version of your page and not the https:// version. Most static iframe apps aren't smart enough to check this, so they serve insecure content on a secure page.
The majority of browsers will be fine with this, but some people might have their browser security settings tweaked a little bit differently and that's probably where you're seeing people unable to access your frame content.
An easy solution is to just have the static iframe app ALWAYS direct to your https:// content, that way, what you're serving is secure whether or not the user is browsing facebook on http:// or https://
I want to open my small platform to developers, so they can build applications that could be inserted in our site as iframe. Similar as facebook is doing, but no, I am not trying to build another Facebook:). From what I understand developers can build facebook application using iframe.
Question: I am wondering how is about security from facebook user perspective. How Facebook prevent that application developer doesn't put malware javascript code inside iframe. I haven't noticed any automatically mechanism that prevent including something like that in iframe.
tnx
No, this is not a problem at all, I think you are worrying for nothing.
There are no security issues that you need to worry about yourself, the loaded page in the iframe is sandboxed, and is "guarded" by the browser.
The two iframes can't even communicate with one another since they are not sharing the same domain, and modern browsers will block any attempt to execute javascript code in another frame if the two frames have different domain.
The thing that facebook did was to workaround that problem, each iframe app in facebook loads the facebook javascript sdk which then enables the nested iframe to make requests to facebook and be notified (by callbacks) when the data returns.
As for "malware javascript code inside iframe to attack user computer via browser", the iframe has the same exact security policies enforced by the browser as any other browser page, if someone manages to somehow bypass those policies then it has little difference where it's loaded, and facebook are not enforcing any other security measures.
The only thing you need to worry about is that scripts inside the iframe will be able to access your scripts and/or dom, which should not happen unless you create a machnism which will let them (somehow bypass the cross-domain policy).
I noticed a site that offers a free secure adaptor for page tab apps.
Looking at the source code, I saw that the adaptor was basically an iframe running my old insecure url inside a html file hosted on a secure server.
Is such a solution going to last for Facebook?
From what I read about SSL, this doesn't seem entirely legit and I wouldn't want to start using such a service and then discover that in a month or two Facebook will block these practices or that this sort of "secure" page will generate all sort of browser warnings
I don't really deal with Facebook data (except for signed_request and app_data), my app requires no permissions and no data from the user, so I won't need to interact with Facebook in my secure version, other than asking for the signed_request and possibly app data
Wouldn't you still have a mixed content warning if the initial content is loaded over HTTPS and your original page is loaded over HTTP in an iframe?
Unless I'm missing something here, this solution is only going to solve the 'Facebook says i need a secure URL' problem, not 'Facebook says i need a secure URL so people can access my app over HTTPS without problems'
For a middleware system with internet (which works inside a set-top box) I want to develop a primitive Facebook interface where users can type their user-names and password, showing their latest notification, messages and other casual stuff on the TV screen by using the recent Facebook Graph API.
This middleware program uses Java ME to run programs (such as this simple facebook app) and it can connect to internet however it doesn't have a real web browser. Without browser it can connect to any url to retrieve the JSON response however I am not sure how to achieve authentication without a real browser.
Under this circumstances, is it possible Facebook authentication? If you think so, what approach would you suggest ?
Thanks
Facebook provides trusted partners with a private Authorization API to get an OAuth 2 token from a username / password.
A more complicated approach would be doing something similar to how Netflix enrolls a device:
device calls server to obtain a Code
device shows code on screen and directs user to go to URL on server and enter Code
server redirects user to Facebook and obtains OAuth token, user told to go back to device
device calls server with Code and obtains OAuth token
device can now make calls directly on behalf of user
According to this documentation on "Desktop Application Authentication" I don't believe your desired result is possible:
Facebook's OAuth implementation does not include explicit desktop application support. However, if your desktop application can embed a Web browser, you can add Facebook support to your application easily using the same OAuth User-Agent Flow used by JavaScript clients.
However, it is clearly possible for certain vendors to do this, since Microsoft's Xbox 360 Facebook application does exactly what you are proposing. I'd be interested to see if anyone has dug up any API for doing this that Facebook doesn't want in their most obvious documentation.
This isn't an answer but I'm trying to do the same thing. Check out this guy's blog which uses another server to proxy the requests:
cory wiles blog
If you figure it out please post a detailed answer here so I can do it to.. :)
I think it is possible though it is pretty complicated and subject to sudden changes of Facebook interface. It might break the agreement between you and Facebook.
What you do is to emulate the Facebook.
One path you have to set up a Facebook application. Once you got the authorisation from user, you can to something with Graph API.
You need to the Facebook log-in process and authorisation process. There are some capturing tools on http/https request and response. Analyse them, both header and body.
Once you know the authorisation mechanism, you can replace it with you own. Everything afterward is on Graph API.
Another path is to emulate Facebook login and message and notification process. Capturing and analysis is needed.
In the past I have used a tool called screen-scraper (full disclosure: I used to work there) to automate logging in to facebook. Basically, it imitates a browser session; it allows you to set session variables (i.e. username, password) which would then be submitted to facebook, just as if the user had submitted them in a browser.
You may not be able to use screen-scraper in your set-top box environment (although it is java-based, so it's possible it would work). Even if it doesn't, you could implement a similar strategy in java, making the HTTP calls a browser would make to load the login page and submit the user's credentials. To keep the user's info safe make sure whatever HTTP client library you use supports HTTPS.
Proxy tools and extensions like Charles, Fiddler2, Firebug, Chrome's dev tools, etc. are helpful in seeing exactly what the browser is sending to the server in requests.