Sunday, May 20, 2012

Facebook JavaScript SDK over HTTPS loading non-secure items


I have a Facebook application that uses the Facebook Connect.js https://connect.facebook.net/en_US/all.js



I am running my application over HTTPS. All content on the site is delivered from https:// with the exception of some content that must be included within Facebook's Connect.js



The problem is that I get warning messages saying that there are non-secure items within the page.



I've checked what scripts are being loaded using Chromes Developer Tools / Network tab to see what files are being loaded and from where.



The only one I can see that is being loaded over HTTP and not over HTTPS is a file called: http://static.ak.facebook.com/connect/canvas_proxy.php



How can I force this file to use HTTPS?



Many thanks,



P.


Source: Tips4all
Post by On
Tags , , , ,

6 comments:

  1. UserMay 20, 2012 at 7:30 PM

    So this would give you the same protocol link:

    FB._https = (window.location.protocol == "https:");

    ReplyDelete
  2. UserMay 20, 2012 at 7:30 PM

    I wanted to post this as a comment as it is clearly not an answer but I am not allowed to (see this person's rant [http://goofygrin.wordpress.com/2011/02/01/why-stackoverflow-sucks-and-participating-there-is-impossible/]) so please do not penalize.

    UPDATE:
    It looks like this (at least my scenario) is a known issue and may have ironically been fixed last night after I posted my response: http://bugs.developers.facebook.net/show_bug.cgi?id=15200

    I am having a very similar problem. However, in my scenario, this is only occurring when I try to load my app in a tab on my Facebook page.

    Here you can view my canvas page with no SSL errors:
    https://apps.facebook.com/shc-welcome-page/welcome.aspx

    But if you go to the app's tab on my page, just a blank iFrame and a mixed SSL warning:
    https://www.facebook.com/synergyhomecare?sk=app_149463898446716

    Similar to the original post, the non-secure culprit seems to be: *http://static.ak.facebook.com/platform/page_proxy.php?v=2*

    ReplyDelete
  3. UserMay 20, 2012 at 7:31 PM

    Adding to Ralph Holzmann and Simon Bächler, the following is an even harder-hitting fix for when FB._https alone does not do the trick;

    FB._https = (window.location.protocol == "https:");
    FB.init({
    ...
    });
    if (FB._https && window == window.parent) {
    if (FB._domain && FB._domain.staticfb && FB._domain.https_staticfb)
    FB._domain.staticfb = FB._domain.https_staticfb;
    }


    See also FB.Arbiter.inform() { ... FB.getDomain((d?'https_':'')+'staticfb',true) ... } where d=window!=window.parent&&... as of 2012-Feb-10.

    ReplyDelete
  4. UserMay 20, 2012 at 7:31 PM

    I would notify Facebook of this issue. It is definitely an issue that they would need to resolve, perhaps by putting in a switch statement to check the protocol.

    ReplyDelete
  5. UserMay 20, 2012 at 7:31 PM

    This seems to be caused by this Facebook bug.

    Also see this forum post.

    That bug was marked as resolved on 3/16, but I am still observing non-https requests to canvas_proxy.php. Hopefully this will be fixed for real soon...

    ReplyDelete
  6. UserMay 20, 2012 at 7:31 PM

    on a side note, if u have doc-type declarations on your html page like,

    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


    ... the reference to "http://www.w3.org" can also bring up the content warning error in IE

    ReplyDelete

Subscribe to: Post Comments (Atom)