Well on Facebook they seem to have a block which prevents you from loading an iframe of their website.
When you do, they lock complete functionality of their website example.
I'm just wondering if anyone knows how you could bypass this?
If they did not prevent this, an attacker could load Facebook pages into an transparent iframe and put something interesting below it. Lets asume a victim has logged in to facebook and then visits the website of the attacker (after some time, in another tab).
The victim will click on something on the attacker's website. But in fact it is clicking onto the transparent iframe and triggering some action on the facebook website. The browser will of course sent the session cookie to Facebook and Facebook sees a legitimate action by an logged in user.
Wikipedia has an article on Clickjacking: http://en.wikipedia.org/wiki/Clickjacking
This attack can be prevented using the unofficial X-Frame-Option http header as described on
http://www.webmasterworld.com/webmaster/4022867.htm Unfortunately not all browsers support it, so a frame breaking java script is required, too.
If you can do that, facebook faces a serious security threat.
I say forget it, even if a method is found, facebook would soon block it, and the method will fail then.
Unless, you are doing something naughty and you only need something that works now.
Related
I want to open my small platform to developers, so they can build applications that could be inserted in our site as iframe. Similar as facebook is doing, but no, I am not trying to build another Facebook:). From what I understand developers can build facebook application using iframe.
Question: I am wondering how is about security from facebook user perspective. How Facebook prevent that application developer doesn't put malware javascript code inside iframe. I haven't noticed any automatically mechanism that prevent including something like that in iframe.
tnx
No, this is not a problem at all, I think you are worrying for nothing.
There are no security issues that you need to worry about yourself, the loaded page in the iframe is sandboxed, and is "guarded" by the browser.
The two iframes can't even communicate with one another since they are not sharing the same domain, and modern browsers will block any attempt to execute javascript code in another frame if the two frames have different domain.
The thing that facebook did was to workaround that problem, each iframe app in facebook loads the facebook javascript sdk which then enables the nested iframe to make requests to facebook and be notified (by callbacks) when the data returns.
As for "malware javascript code inside iframe to attack user computer via browser", the iframe has the same exact security policies enforced by the browser as any other browser page, if someone manages to somehow bypass those policies then it has little difference where it's loaded, and facebook are not enforcing any other security measures.
The only thing you need to worry about is that scripts inside the iframe will be able to access your scripts and/or dom, which should not happen unless you create a machnism which will let them (somehow bypass the cross-domain policy).
I have installed the vBulletin Facebook app for a client, and am trying to link the app page from within the sidebar on the Fan Page for the site. However, the page returned upon clicking the link is blank. I think this may be a fault on vBulletin's side (which sadly has little to no debugging facilities that I can see), possibly the referrer does not match the App URL. Has anybody come across this problem before?
Any possible workarounds via Facebook? I have tried setting the Page URL to the apps.facebook.com URL but it didn't work and through a search I've found that it's not the right approach anyway.
Edit: I have also tried iframe within an iframe, like setting the page url to a page and having an iframe in that one. It didn't work, but then again it's fairly obvious why it didn't. The last resort I think would be to see if I could reverse engineer the vBulletin code to ignore referrers or allow a different one (if it's even the problem).
Double edit: Perhaps just a way to send a link off to a new window via the app tab??
Thanks
Is it coming from an SSL site? I think now all fan pages have to come from an SSL site or they will error out. -Buddy
Could someone tell me how this could be done?
http://l.yimg.com/p/social_buttons/facebook-share-iframe.php?u=http://www.lifehacker.com
This is basically a Facebook share button that is used by Yahoo in one of their blogs. The reason I am interested in this is because
1. it is very fast.
2. Has very few requests to facebook servers, unlink the Facebook iframe like button.
I currently use the Facebook Iframe button and it makes lot of requests to the fbcdn servers.
It looks to me like you're asking about manually tacking the count on the end of a plain graphic:
http://l.yimg.com/p/social_buttons/facebook-share-iframe.php
If so, what you're talking about is generating a graphic (ie: png, but you can do jog, as well() and maybe using an fb api to get at the current count, if you're not tracking it yourself. Using the API isn't trivial to set up or use, but after you get the pieces in place, fairly intuitive to use.
If you're talking about just doing a different button, I'd advise against it. That's just how that facebook feature works. It's great because it out of the box, though it does have requests to fb servers for it to work.
Came into the office today to do some more work on my nearly completed Facebook Connect website application.
And i have discovered for some reason, the "onlogin" event of the fb:login button FBML control is no longer getting fired!!?!
To anyone else that has a Facebook Connect FBML app (and using the JavaScript API for authentication), i would advise you test your application to make sure it's still working.
A friend of mine's app (which is live) has also stopped working as of today.
What's happening is you click on the "Connect to Facebook" button, it shows the FB login dialog, you log in.
Yes, they are being logged in to Facebook correctly (thankfully), but the "onlogin" callback event is not getting fired anymore, so the page just sits there (where before the "onlogin" event would redirect to the homepage, for example).
Of course if you refresh, you are logged into Facebook.
Seriously, WTF - what have those developers at Facebook done now?!?!.
Any ideas? Has anyone read any updates/threads on this issue?
UPDATE:
8 hours and still no fix in place. I've tried to do some workarounds (there is also an onclick event of the FBML Login Button), but it's all too early in the authentication cycle.
We need to be able to hook into a post-login callback to do things like redirects, permission popups, authentication logic, etc.
Nothing we can do without Facebook fixing this.
I just hope when i come in the office tomorrow this will be 'magically' fixed, much like this issue 'magically' appeared.
Well judging by the comments here i'm not alone. It's obvious at this point that Facebook have made a change somewhere, without telling us.
I just hope they rectify this issue ASAP as there is no workaround i can see for this.
UPDATE 2
Yep - (drum roll), its yet ANOTHER bug from that team of world-class developers at Facebook: (thanks Anon for finding link) http://bugs.developers.facebook.com/show_bug.cgi?id=11733
I love it how the comment from the FB guy Marc says "Only seems to be happening on old Facebook Javascript SDK", well, enable us to do server-side authentication with your Graph API (instead of just for retrieving user details/posting), and we wont have to use the old JavaScript API!
Fun and games.
FINAL UPDATE
Facebook have (seemingly) fixed this.
Let's hope it stays fixed.
Given the 'correct' answer to Anon (as he found the link).
Please confirm and vote on this bug... this should be fixed asap!!
http://bugs.developers.facebook.com/show_bug.cgi?id=11733
if in FB.getLoginStatus you are passing second parameter as true, pls make it to false.
I resolved callback issue using this trick.
Thx
This is a bug and they are about to fix it
Its quite possible I'm missing something obvious here; I hope so.
I have been trying to get a Facebook game that posts to the user's wall after the game has finished working. As I understand it, this should be a pretty simple process (and there appears to be several different approaches).
I have tried most of these, and they all seem to fail for the same reason; I do not have a 'connect' URL (which, as I understand it, is also called a canvas callback URL?) set correctly.
This sounds easy to fix, but it seems like the application settings page has recently changed. Often a 'connect' tab is referred to, but this no longer exists. All I have is a 'Facebook integration' tab and this has only the canvas URL, there doesn't appear to be a connect URL.
You need to set the URL in the Website Section. You'd be best settings the domain as well just to make sure. I find it best practise to set the URL in the Facebook Integration tab as well as then Website tab regardless of the type of Facebook integration I am creating
You are correct that the error message is out of date, the connect URL is the Website URL now (just wanted to clarify)