Just when you’re starting to figure out Facebook’s latest system they’re bound to throw a wrench in to complicate things. Facebook recently made an un-announced change in the way they handle secure browsing on their site. Users are now offered secure browsing on Facebook by just changing their preferences under Account Security to “Browse Facebook on a secure connection.”

While this is great for the user, many developers have been caught off-guard by this and if they didn’t set up a secure canvas page, their users may see a big red warning instead of their content!

Facebook security warning on iframe

Facebook announced today that on July 1, 2011 they’ll release an update to their developer Kit (SDK) that will use OAuth2.0 and a new cookie format that doesn’t require access tokens.

Developers for apps (that includes those iFrames) will be required to “migrate to OAuth 2.0, process the signed_request parameter, and obtain an SSL certificate by October 1, 2011”.

Here’s the current timeline taken from Facebook’s developer blog:

Migration to OAuth 2.0 + HTTPS timeline:

  • July 1: Updates to the PHP and JS SDKs available that use OAuth 2.0 and have new cookie format (without access token).
  • September 1: All apps must migrate to OAuth 2.0 and expect an encrypted access token.
  • October 1: All Canvas apps must process signed_request (fb_sig will be removed) and obtain an SSL certificate (unless you are in Sandbox mode).

What about now?

As of now, in order for users who have enabled SSL on Facebook to see your tab you’ll need to make some changes to your iFrame settings.

Get yourself an SSL certificate. Your hosting provider should be able to sell you one as an add on for somewhere around $30/year.

Go to your application on the Facebook’s developers page.

Both the secure Canvas URL and the Secure tab URL must now contain a link to a site with an authenticated SSL certificate.

If in the past you let that slide and left it empty, admins will see the following message on their Facebook page where the iFrame should be loading.

Secure Facebook tab URL

All of the links within that framed content must be HTTPS and NOT HTTP URLs. Mixing secure and non secure content is…well it’s not secure! That includes images, CSS and script files, anything in your meta tags etc. It does not include outgoing links to content on other sites or relative links like this “/myfiles/somepage.html

You don’t really want users to be seeing something like this…

Facebook Tab security

My honest recommendation here if you’re not a developer is to use one of the many services that can provide a framework for you or custom design content. Check out HyperArts TabPress application. For less than $100 you can let them deal with the headaches of Facebook’s ever changing policies!

I also like hubze’s iframe Engine and PageModo for quickly implementing template driven pages.


One comment on “Facebook throws a wrench at developers. Again

Leave a Reply