Facebook SDK FB.GetLoginStatus Load denied by X-Frame-Options (Firefox Only)

Question

I have this web application login page that calls FB.GetLoginStatus() from the Facebook JavaScript SDK after the document is done loading. This worked perfectly fine on all browsers (mobile included) and that was the happily ever after.

BUT, one day, out of plain nowhere, I notice that the SDK is failing to get the login status data of the Facebook user when the page is done loading. I take a look in the console and I see something around the lines of

Load denied by X-Frame-Options [massive link generated by the SDK] does not permit framing.

Here's what bugs me: this works perfectly fine in Safari. I was introduced to the error when I opened the web app on Chrome (same error as quoted above, slightly different wording). I tried on Firefox and got the same thing. I spent a few hours trying to find a cause but failed and went to sleep.

I wake up the next day and miraculously it's now working on Chrome (?) without me having done any changes (?!). But, for some reason, the error persists only in Firefox now.

Does anyone have a clue what this might be? Something that Firefox does differently that Safari and Chrome don't?

A clue here is that I'm using a tunneling service (ngrok) and I don't have a signed certificate for it, thus I get the casual (you're entering an 'unsafe' website, blah blah blah). Perhaps Firefox is blocking the SDK because the connection is not secure?

Any insight on this would be marvelous. Thanks 🙂

Answer 1

OK, after fighting this for a few hours I finally found out what was bothering Firefox: the website site URL field in the app's Facebook Dashboard settings.

The issue wasn't even with ngrok or a missing signed certificate, it was the fact that the website in the settings had the production domain (.app) instead of the ngrok one I'm currently using for development (eu.ngrok.io).

The only reason I managed to pinpoint this back to the dashboard settings is because I have 2 Facebook apps, and the other one was working fine, so I imagined it might be a misconfiguration in the settings that was causing the issue (Facebook has a shitty standard in place for explaining/handling errors — it's like shooting in the dark until you hit something when using their SDK's).

What I don't understand here is why the heck only Firefox seems to have a problem with this setting being misconfigured or why the issue disappeared out of nowhere from one day to the next for Chrome. Anyways, if I managed to help anyone else fix anything similar with this thread than this headache has been worthwhile.

Peace out ✌🏽