3

I am trying to call for Facebook Graph API via JS. Like this:

FB.getLoginStatus(function(response) {
    console.log("Get login status: ", response);
  });

Unfortunately I receive the next error:

Insecure Login Blocked: You can't get an access token or log in to this app from an insecure page. Try re-loading the page as https://

I am using my localhost environment: http://localhost:8100 Which is what will be used later on the actual device as a Cordova mobile app.

That means every request I do with this app is insecure? How to fix this?

Thanks.

Raz
  • 1,910
  • 1
  • 15
  • 28
  • Won't this help: https://stackoverflow.com/questions/43677457/how-to-create-a-https-server-on-localhost? If you're testing in browser it may help. When you build and sign your application it should work as it is though. – scor4er Mar 30 '18 at 12:44
  • I am using ngrok. But here I need to use it with Cordova – Raz Mar 30 '18 at 13:29
  • Are you testing your application in a browser? If so just configure your local web server to be https, I don't see how cordova related here. – scor4er Mar 30 '18 at 13:43
  • If you're trying to run the app on a specific platform (android, ios) and it's throwing you this error - it's a different case. If so I don't understand what's your `http://localhost:8100` address means. – scor4er Mar 30 '18 at 13:45
  • Okay I will try to explain this better. The app is running through Cordova on the user's device. This is not on a a global domain like just another website. Its localhost program. Now when I am trying to do some requests with the FB JS SDK it throws the error I have mentioned. If this was on a global domain I could use HTTPS://www.mydomain... Since its not a global domain, I cannot set this to be: HTTPS://localhost or HTTPS://what_cordova_actually_make_this_users_device.. – Raz Mar 30 '18 at 15:31
  • I am not sure whether there's anything official yet from either FB or cordova makers, on how developers are supposed to handle this issue. I can't really see FB lifting this restriction for this type of apps, because surely the "bad boys" would then find a way to somehow abuse this to make it work for other types of apps again, too, and send sensitive data to remote recipients insecure. – CBroe Mar 30 '18 at 15:58
  • I guess they'll have to come up with a solution to set it up so that either `https://localhost/` or some other locally resolved host name will work. Whether the webview used(?) can somehow be configured to accept a self-signed certificate for this, or if it will require some sort of "official" solution (like a trusted certificate issued for a certain host name by Facebook themselves or sth. like that), I guess 3rd-party developers will have to wait and see for now. – CBroe Mar 30 '18 at 15:58
  • I am still able to work securely when I am loading scripts over HTTPS like : . And also I am still available to send AJAX request to https:// www.someaddress in the url. Both dont ask that my domain will have HTTPS in order to receive and send secure data. So how does Cordova apps secure works? Now lets leave FB aside for a second, If someone types something in my Cordova app its not encrypted by itself so its a problem even before of the FB issue. Isnt it? How to solve this using Cordova? – Raz Apr 01 '18 at 08:08

0 Answers0