4

I've been working on this particular error for a week now, debugging different social buttons and narrowing it down to Facebook in general: every "Like" button I've implemented (HTML5, xfbml, etc.) triggers the same cross-domain scripting error. Basically, Facebook is triggering this error with every iFrame (like below) upon clicking "like":

Unsafe JavaScript attempt to access frame with URL http://mediacdn.disqus.com/1326940420/build/system/def.html#xdm_e=http%3A%2F%2Fwww.vancitybuzz.com&xdm_c=default4311&xdm_p=1& from frame with URL http://www.facebook.com/plugins/like.php?channel_url=https%3A%2F%2Fs-static.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df31a0247d%26origin%3Dhttp%253A%252F%252Fwww.vancitybuzz.com%252Ff3c0eb7e0c%26relation%3Dparent.parent%26transport%3Dpostmessage&extended_social_context=false&href=http%3A%2F%2Fwww.vancitybuzz.com%2F2012%2F01%2Fchinese-new-year-events-2012-vancouver-richmond-burnaby%2F&layout=box_count&locale=en_US&node_type=link&sdk=joey&send=false&show_faces=false&width=90. Domains, protocols and ports must match.

Why this isn't a duplicate: the issue occurs even in the absence of the twitter button and google+ button. it also occurs in every implementation of the "like" button. the symptoms point to a new issue.

Methods attempted: I've tried multiple "versions" of the Like button all with the same issue. It's even conflicting with DISQUS.

Suspects: Pages that do not have any DISQUS code are functioning normally. This variable (output by DISQUS wordpress plugin) is suspect:

var facebookXdReceiverPath = 'http://www.vancitybuzz.com/wp-content/plugins/disqus-comment-system/xd_receiver.htm';

In addition, javascript output by Facebook is also suspect.

See it yourself: Go to http://www.vancitybuzz.com/2012/01/research-in-motion-ceos-resign/ it's likely to change, though.

The Question

Given the information here, does anyone know of a workaround to force out the cross-domain error? Many thanks.

crockpotveggies
  • 12,682
  • 12
  • 70
  • 140
  • This is not only for Facebook, it happens for every cross domain request like Google plus1 etc. Take a look at this http://stackoverflow.com/questions/4324108/unsafe-javascript-attempt-to-access-frame-with-url – The Alpha Jan 24 '12 at 01:24
  • Would that mean I need to find both static and dynamically-generated "parent.locations" and unify the domains? Do you know where/if Facebook throws it in? Thanks! – crockpotveggies Jan 24 '12 at 01:36
  • Just for clarification, is the error causing any functionality to break, or just cluttering your console? Browsers tend to log security exceptions even if they happen in a try/catch block (I guess to warn paranoid users that a site may have *tried* to do something naughty?). Most cross-domain AJAX hacks require a number of tries and catches to figure out which method will work in your particular browser. – Mike Ruhlin Jan 24 '12 at 01:48
  • @MikeRuhlin i'm leaving no stone unturned, but I suspect that this might be affecting facebook "counts" although a different and unrelated issue here is probably the cause: http://stackoverflow.com/questions/8953786/new-xfbml-like-button-cloudflare-503-error-kills-count – crockpotveggies Jan 24 '12 at 01:58

1 Answers1

2

After multiple people have looked into this, including myself, currently there is no workaround for cross-domain errors because Facebook uses iFrames for communication.

This would also apply to the Google Plus button as it stands today.

However, the future looks bright. Google devs (and likely Facebook, too) have confirmed they are working on a new solution.

In the meantime, some people have reported that using Facebook and other widget plugins seem to alleviate the problem in Wordpress-structured sites. No guarantees.

http://mashable.com/2010/05/07/wordpress-facebook-like-buttons/

The Future: I wouldn't be surprised if websockets (and flash ws fallbacks) are used, but I'll leave that to the platform devs

crockpotveggies
  • 12,682
  • 12
  • 70
  • 140