Trying to set up my first FB app, I tried using different PHP example codes, but for some reason when I try to access the app, I always get a Java window saying For security reasons, framing is not allowed. I have SSL on my server, and another FB app on my server that's not using FB SDK is working fine. Anyone has any ideas?
You will get that same error on StackOverflow if you try to open it in a frame as well. This is due to security concerns as it is the first step towards clickjacking a site. See this Coding Horror blog post for a full explanation.
TL;DR; Don't frame external sites...including FB which is in a different space than your server.
Related
Google no longer allowing embedded webviews as it is a disallowed_useragent for OAuth sign in. For most situations, this is completely fine and there is a workaround. However, I have run into a situation where this prevents websites from being able to use a web-server OAuth implementation.
The Issue:
Nginx PHP server running the Google PHP SDK, using their O-Auth implementation. This works fine on everything except embed browsers. Typically this is okay, however, if a user tries to sign up to our website in an app which uses an embedded browser, we get the disallowed_useragent error (See picture at bottom). This doesn't appear to be a problem in Android Facebook Messenger but can be replicated on the iPhone 7 Plus Facebook Messenger.
Current Research:
I tried to look for explicit workarounds. E.g. ways to force the link to open in the primary phone browser (e.g. Safari app) but all implementations point to app side fixes, which can't be done from a website.
Question:
How can I implement Google Oauth when some users may be using these embedded browsers, without making the user to take an extra manual action (e.g. Open in Safari/Chrome)?
This question is very opinion based but I will give you my opinion.
How should I implement Google Oauth when some users may be using these embedded browsers, without making the user to take an extra action?
You cant really. If someone is using an embedded browser in Facebook messenger (embedded browser) to open your auth link its not going to work. To my knowledge there is no way to force or over ride Facebook messenger or any other app that uses its own embedded browser. Again this is just my opinion but there are a lot of apps out which have started forcing their users to use these embedded browser's. One could question how secure they are and that it is better to use the real installed browser. Do you think this is why google has enabled this to begin with?
I would like to avoid going down the road of detecting the user-agent web-side and force the user to open the link in Safari.
I don't know that sounds like a pretty decent solution to me. It may feel a like over kill a little but if it works go with it.
There's another scenario that is causing issues.
If you have a web app - not a native app with an embedded browser - the user can always choose to put the shortcut to the HomeScreen in iOS.
But when they go to that HomeScreen shortcut to run the app, it will strip "Safari/6xx.x" from the user agent string.
Now, Google sees this as an "Embedded Browser" and denies access to OAuth.
So - "No Web-App-Capable" for you!
If you turn off this meta tag:
<meta name="apple-mobile-web-app-capable" content="yes"/>
two things happen in iOS:
The website now opens in the Safari browser window instead of the cleaner Web-App method.
The website uses the complete Safari useragent which will allow OAuth to work.
The real shame here is that the decisions of Google (To deny non-standard browsers to access OAuth) and Apple (To remove the Safari version in the user agent for homescreen shortcuts) have backed us into the corner where any site that could look really nice in web-app mode can't utilize this OAuth from google.
I've been trying to find a way to spoof the user agent to add the safari version into it so that everything works in homescreen web-apps, but I don't think I can make it work. It seems that safari doesn't allow you to change the navigator.userAgent and on top of that, I'm not sure how it would handle new popup windows in WebApp mode.
I have an android app on Google Play and also an website where.
For the moment, I am using javascript to detect if the device connected to the website is an android device. If is, I am displaying a popup dialog on the device inviting the user to download the app from the PlayStore. If the user clicks ok, he will be redirected to the PlayStore page of my app, I f he clicks no, he will continue using the browser.
Now, the problem is that when the user have installed the app and tryes to access the webpage again, he will be asked again to download the app, even if he allready installed it (which is not a good idea).
Do you know a solution on how to check if the user has allready the app installed on his mobile device?
It is also possible to do android detection with php, so if you have a method with php to detect if the app is installed, I can also use it.
Thank you very much.
I don't think this is possible for security reasons. I would not want some random website I visit to be able to access my phone Package Manager and find out what apps I have installed.
This would raise a lot of privacy and security concerns.
But I saw one answer that might have a different way of achieving your intent that might be useful to you:
https://stackoverflow.com/a/12901352/1369222
Even if the user doesn't install your application, your web site shouldn't ask more than one or two times to download your application from the PlayStore. The usual way of doing this is to use the browser's cookies in order to remember if it's a new visitor or not. It's not full proof because the cookies functionality could have been deactivated but at least, you won't have to worry about this problem for most of your visitors.
I'm trying to run the example.php file that comes with the facebook sdk. I do have a hosting server that runs php, and also changed the ID's to the corresponding one on my app. Here is the message i'm getting:
This webpage is not available
The webpage at https://filipeximenes.com/facebook/ might be temporarily down or it may have moved permanently to a new web address.
Error 501 (net::ERR_INSECURE_RESPONSE): Unknown error.
i'm pointing the canvas to this adress: http://filipeximenes.com/facebook/
Thanks.
Based on your description, I think that this is your problem:
Do you have a valid security certificate on the hosting server? I ran into that problem recently when deploying an FB app. Since October, you have to have a valid cert even in sandbox mode for the FB app to run properly. If you don't have one it causes weird problems.
Just a thought that I hope helps.
One other thing to do from a debugging perspective is to take a look at the actual app running on your hosting server without viewing it via FB. If you get the same error message there, you know that it has nothing to do with the FB SDK.
Thanks!
Matt
I have a facebook application that I built as an FBML app. Recently I noticed that FBML is deprecated and that Facebook now recommends only iframe apps. Something I initially avoided because my understanding is that iframes are not valid xhtml code, and at the time I was trying to write 100% validated code for everything.
However I also don't like building unsupported applications, so I set about changing my app to use fully rendered html pages using the iframe method of display.
My pages render perfectly on their own when I display them in their own window however they are completely blank in Safari when rendered inside a frame provided by Facebook. At first I was stumped and couldn't figure out why nothing rendered, until a friend using Internet Explorer told me he was seeing the following error:
To help protect the security of information you enter into this website, the publisher of this content does not allow it to be displayed in a frame.
So I started googling this error, and found mountains of forum discussions between confused people trying to get their frame code working and figured out it was an error that appeared overnight back in 2009 when IE8 was introduced. A little more digging on the Microsoft site reavealed that it is a security feature invented by Microsoft to prevent click-jacking.
The apparent cause of this is the server sending an X-Frame-Options heading, and the response of Firefox and Internet Explorer is to display an error message about security and frames, while the response of Webkit browsers such as Chrome and Safari is to render an unhelpful blank frame. I own the hardware running the apache server and I wrote all the html, and I certainly never explicitly sent the X-Frame-Options header, so I must assume that my installation of php sends this header by default on all pages that it serves up as a blanket security enhancement (either that or Apache is doing it).
Obviously, now that I know what causes it, I could figure out who is sending the header and stop it, but my question is on of best practises: Click-jacking prevention is obviously a worthy cause, and since some part of my server chain deems it important enough to send this header without asking, clearly someone thinks it is a good idea. However, Facebook apps, by design, load content from another website within an iframe, so I'm surprised there is little or no talk that I can find about this on the internet. Is there another way around this, or is it simply a case of something that should not be turned on for a page that is intended to be viewed from within an iframe?
Furthermore, if getting rid of the header is the correct approach, does anyone know why it is getting sent and where to turn it off? I'm running on a Snow Leopard Server with the default installation of apache and php.
Search the Apache config files for the option
$sudo grep -ir 'x-frame-options' /etc/apache2
Credit
I am currently in the process of creating a mobile version of my web app.
The app is being developed with Facebook's PHP Client Library.
The issue:
I am using the following mobile url to allow users to log in using the mobile devices:
http://m.facebook.com/tos.php?api_key=APIKEY&v=1.0&next=http%3A%2F%2Ftweelay.net%2Fm.php&cancel=http%3A%2F%2Ftweelay.net%2Fm.php
APIKEY being my app's actual Facebook API key.
In the url I am telling Facebook to redirect the user back to http://tweelay.net/m.php when the user signs in or clicks cancel on the log in screen. I am pulling my hair trying to figure out why it keeps sending the user to http://m.tweelay.net/m.php which is currently an invalid end point.
I have gone through all of my app's settings on Facebook and I cant find any that reference http://m.tweelay.net and going through all of my source code I cant find any that reference the m. sub-domain either.
Any ideas? Is there a setting I'm missing? Maybe a Flag in the library?
I've seen Facebook do this when detecting the mobile browser type and also sometimes randomly through Firefox (it can also happen when trying to get to facebook.com). I've managed to reset it sometimes, but it's not a guaranteed fix.
If you want to be sure the user makes it to your correct site I suggest creating the subdomain and redirecting traffic to your usual site, it's what I did and now I don't worry about it reverting back.