Facebook canvas apps HTTPS and HTTP

Question

I have created two Facebook canvas apps. I am having problems with people accessing the apps. In the app settings you must enter:

Canvas URL Secure Canvas URL

Secure Canvas URL wont accept HTTP links but only HTTPS. When some of my users go to my app link like http://apps.facebook.com/my_app Facebook automatically redirects them to https://...

Canvas app content is loaded from my server which is only accessible via HTTP. The users which are redirected to https://apps.facebook.com/my_app then can not load my app since Facebook canvas wants to load content from my server via HTTPS. How do I solve this, without enabling SSL on mu server?

And not all users are redirected to https://apps.fa...? How is this handled?

score 8 · Answer 1 · edited Jan 09 '16 at 10:50

8

I have come up with an interesting hack for this problem.

You can create a HTML file that is accessible over HTTPS that just redirects to your webpage. For example, you can use dropbox. Since Facebook loads your secure canvas URL page in an iframe, your code needs to redirect the top page. Something like this.

<html>
  <head>
    <script>
    function onLoad() {
      window.top.location.href="<your website>";
    }
    </script>
  </head>
  <body onload="onLoad()">
    <p>Please wait while you are being redirected to <your website name>…</p>
  </body>
</html>

And provide this link as the secure canvas URL. I blogged about this in more detail - http://blog.almabase.com/post/84579042935/interesting-hack-for-facebook-secure-canvas-url

edited Jan 09 '16 at 10:50

Community

1
1

answered May 03 '14 at 03:12

UnTechie

365
2
7

This answer should be accepted, since it answers the question. – Paolo Stefan Oct 03 '14 at 05:08
This method redirects you to the website. It doesn't load the site in the iframe which is what a canvas app is. – JJJ Jan 16 '15 at 04:37
1

This worked fine for me. To use a DropBox url, note you have to change the link DropBox will give you from https://www.dropbox.com/s/... to http://dl.dropboxusercontent.com/s/... . Also when entering the dropbox url into the "Secure Canvas URL" in your FaceBook app configuration page, add a question mark to the end of the URL for it to be accepted. – Aidan Jan 09 '16 at 10:00

score 7 · Accepted Answer · answered Sep 05 '11 at 14:02

7

Basically, you must provide https support. At the moment, you can still leave the Secure Canvas URL field empty to avoid doing so, but it will be required starting October 1st.

answered Sep 05 '11 at 14:02

chwk

441
2
7

1

Looks like I will have to invest into SSL certificate. – Primoz Rome Sep 06 '11 at 21:03
2

Some providers offer SSL proxy services. You can specify a URL like http://www.sslproxy.whatever/yourapp/ that simply loads/forwards your normal content. Using this kind of service does not put your app in the "most trusted" category, of course, and browsers might complain. – chwk Sep 12 '11 at 11:43

score 2 · Answer 3 · edited Sep 05 '11 at 18:52

2

Facebook users that have explicitly said they want to use HTTPS in their account settings get redirected to HTTPS. Your application has to support HTTPS by October 1st, as announced by Facebook here: https://developers.facebook.com/blog/post/497

edited Sep 05 '11 at 18:52

Jont

972
5
10

answered Sep 05 '11 at 12:53

TJHeuvel

12,403
4
37
46

score 1 · Answer 4 · answered Sep 05 '11 at 14:12

Without enabling SSL on your server, you could try social-server.com However, this is only a quick workaround. Your users might get nasty security messages from their browsers while using https.

The best solution is to buy a SSL certificate if you still want to develop Facebook apps.

Facebook canvas apps HTTPS and HTTP

4 Answers4