3

My main javascript (and so all the static content) is included from https://static.anuary.com. The URL that user is browsing is https://dev.anuary.com/somepath/.

Where does the channel file need to be, dev.anuary.com or static.anuary.com? At the moment it is http://static.anuary.com/channel.html.

I am asking because I am still getting the error that says:

Unsafe JavaScript attempt to access frame with URL https://www.facebook.com/dialog/oauth?access_token=[..]&api_key=[..]&app_id=[..]&client_id=[..]&display=popup&domain=dev.anuary.com&locale=en_US&origin=1&redirect_uri=http%3A%2F%2Fstatic.ak.facebook.com%2Fconnect%2Fxd_arbiter.php%3Fversion%3D6%23cb%3Df3ac7a0544%26origin%3Dhttp%253A%252F%252Fdev.anuary.com%252Ff373e908a8%26domain%3Ddev.anuary.com%26relation%3Dopener%26frame%3Df312def42c&response_type=token%2Csigned_request&scope=email%2Cuser_birthday%2Cuser_likes%2Cuser_interests%2Cpublish_stream&sdk=joey from frame with URL http://dev.anuary.com/658fe23c24564ac978c31d167549c4ce8b36686d65a78ad99bfb38765d46e232/. Domains, protocols and ports must match.

In response to @dtbarne:

Well, that's the thing – I still don't know, because I've tried bowth ways and any in case it produces the same error:

Unsafe JavaScript attempt to access frame with URL https://www.facebook.com/dialog/oauth?access_token=[..]&api_key=[..]&app_id=[..]&client_id=[..]&display=popup&domain=dev.anuary.com&locale=en_US&origin=1&redirect_uri=http%3A%2F%2Fstatic.ak.facebook.com%2Fconnect%2Fxd_arbiter.php%3Fversion%3D6%23cb%3Df1ee31b93%26origin%3Dhttp%253A%252F%252Fdev.anuary.com%252Ff9359b2f%26domain%3Ddev.anuary.com%26relation%3Dopener%26frame%3Df18e94f9c4&response_type=token%2Csigned_request&scope=email%2Cuser_birthday%2Cuser_likes%2Cuser_interests%2Cpublish_stream&sdk=joey from frame with URL http://dev.anuary.com/658fe23c24564ac978c31d167549c4ce8b36686d65a78ad99bfb38765d46e232/. Domains, protocols and ports must match.

Gajus
  • 69,002
  • 70
  • 275
  • 438
  • Is this still an issue? If so, at which point do you get this error? since the url in question is of the oauth dialog, which is a bit weird. – Nitzan Tomer May 28 '12 at 18:19
  • It is still an issue. As far as I can tell, it is triggered when authorisation dialog is sending a callback. Just to stress it out, (although stated already): people are visiting page `https://foo.com/xyz/`, the static content (incl. js) is loaded from `https://static.foo.com/xyz/`. – Gajus May 29 '12 at 13:53
  • And you now use the static or regular path for the channel? Also, what happens if you try it without specifying the channel at all when initializing the FB sdk? – Nitzan Tomer May 29 '12 at 13:56
  • I've tried both. The static and the base domain, and without channel file at all. It would produce the same error in any scenario. Note, that the error is not critical. – Gajus May 29 '12 at 15:05

3 Answers3

1

Sounds like you know the answer already. It has to be on dev.anuary.com. The purpose is to allow for communication between FB and the URL the user accessed.

dtbarne
  • 8,110
  • 5
  • 43
  • 49
  • What about inside the channel file. Should the `all.js` be loaded through HTTPS all the time, or should I make it ` – Gajus May 17 '12 at 04:43
  • Keep it starting with `//` so that it will use the protocol of the page it's on. – dtbarne May 17 '12 at 04:44
  • In that case, see my updated question. Using Google Chrome, the up to date version. – Gajus May 17 '12 at 04:47
1

As you said yourself, this error is not fatal, and is meant is a warning to the user that something fishy might be happening.

Facebook also marked this issue as By Design in their bugs system: Bugs > Unsafe JavaScript attempt to access frame with URL....
Also, there are plenty of threads here on stack overflow about this, for example: Facebook Authentication - Unsafe JavaScript attempt to access frame with URL.

Now that we know that this "error message" is unavoidable, use the channel as you wish, as long as everything works for you.
You don't even need to use the channel, as it states in the documentation:

The channelUrl parameter is optional, but recommended. Providing a channel file can help address three specific known issues. First, pages that include code to communicate across frames may cause Social Plugins to show up as blank without a channelUrl. Second, if no channelUrl is provided and a page includes auto-playing audio or video, the user may hear two streams of audio because the page has been loaded a second time in the background for cross domain communication. Third, a channel file will prevent inclusion of extra hits in your server-side logs. If you do not specify a channelUrl, you can remove page views containing fb_xd_bust or fb_xd_fragment parameters from your logs to ensure proper counts.

But it also states that:

The channel file addresses some issues with cross domain communication in certain browsers.

So it's up to you to decide.
I personally recommend to use the channel and to serve the file from your regular server and not from the static servers.
You should however set the output to have a long caching expiration date so that your server won't get a lot of requests for this file, as they mention in the JS SDK documentation page:

<?php
   $cache_expire = 60*60*24*365;
   header("Pragma: public");
   header("Cache-Control: max-age=".$cache_expire);
   header('Expires: ' . gmdate('D, d M Y H:i:s', time()+$cache_expire) . ' GMT');
?>
<script src="//connect.facebook.net/en_US/all.js"></script>

(php example, but can be done with any language).

Hope this answers clarifies things for you.

Community
  • 1
  • 1
Nitzan Tomer
  • 155,636
  • 47
  • 315
  • 299
0

The channel file should be places on the server / address the user visits, as the channel file is used to fix some cross-site javascript errors. If the user is always accessing your website using HTTPS, then you should reference the channel file using HTTPS as well as any other content.

The channel file itself should stay as <script src="//connect.[..], but make sure all your static content and JS Includes all have https in them.

Niraj Shah
  • 15,087
  • 3
  • 41
  • 60