Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Facebook JavaScript SDK over HTTPS loading non-secure items

I have a Facebook application that uses the Facebook Connect.js.

I am running my application over HTTPS. All content on the site is delivered from https:// with the exception of some content that must be included within Facebook's Connect.js

The problem is that I get warning messages saying that there are non-secure items within the page.

I've checked what scripts are being loaded using Chrome's Developer Tools / Network tab to see what files are being loaded and from where.

The only one I can see that is being loaded over HTTP and not over HTTPS is a file called http://static.ak.facebook.com/connect/canvas_proxy.php.

How can I force this file to use HTTPS?

like image 635
paperclip Avatar asked Mar 06 '11 17:03

paperclip


People also ask

How do I turn off enforce https on Facebook?

This setting is found in the Products > Facebook Login > Settings section of the App Dashboard. Disable Web OAuth Flow or Specify a Redirect Allow List.

Does Facebook use http or https?

Yes. Secure browsing (HTTPS) is a security feature that automatically encrypts your connection to Facebook. This helps protect your account by making it harder for anyone to access your Facebook information without your permission. A secure connection is required to connect to Facebook and can't be turned off.

Does Facebook use SSL or TLS?

This uses Transport Layer Security (TLS), formerly known as Secure Sockets Layer (SSL), and makes the communication between your browser and Facebook servers more secure.


1 Answers

TL;DR

set FB._https to true before calling FB.init. Like so:

FB._https = true; FB.init({     /* your app id and stuff */ }); 

Explanation

If you unminify the Facebook JavaScript SDK, you'll see that its basically an object literal with a bunch of properties. One of these properties is _https, which is a boolean. This property determines which set of URLs to use (stored in FB._domain) when making API requests. It seems as though Facebook keeps two sets of URLs for each type of API request -- a secure URL and and non-secure URL -- then uses a switch function called getDomain() to determine which to use when making requests.

The reason the JavaScript SDK causes security warnings is due to the way the FB._https property is defined. This is how it's currently defined as of 2011-8-24:

_https: (window.name.indexOf('_fb_https') > -1)

Apparently Facebook thinks that if the window.name property has _fb_https in it, then it must be a secure app. This is obviously incorrect. The real test should be something similar to this:

_https: window.location.protocol == "https:"

Unfortunately, the SDK is not open source or even well documented, so I can't submit a pull request for this change :P. In the short term, setting FB._https to true manually before calling FB.init should do the trick.

like image 169
Ralph Holzmann Avatar answered Sep 27 '22 23:09

Ralph Holzmann