1

I have a Facebook app with a page tab installed on many pages.

I know I can parse, server side, the signed_request and have all the data I need on the page, the current user etc.

However, I just need to know the page ID, or even the page URL, using client side JS (so, no access to signed_request which is sent via POST, no PHP or other server side language).

Is there a way to grab that information alone? Even if unsigned and insecure?

I'd really love to know whether it is possible at all before setting up a server side process, however even if the answer is "no, you can't do it" please give some motivation on why the only way to know the current page should be a server side script, what security violations could possibly arise if Facebook was offering a way to know the current page in an insecure way.

Peter O.
  • 32,158
  • 14
  • 82
  • 96
Simone Gianni
  • 11,426
  • 40
  • 49
  • I tried using document.referrer, but since Facebok uses a proxy PHP to load the iframe, that is not a way to obtain the URL of the current page. – Simone Gianni Feb 29 '12 at 14:01
  • I also tried using window.parent.document, but obviously it does not give me access to it, not even only the location. – Simone Gianni Feb 29 '12 at 14:30
  • 1
    In your scenario do you not have access to php or other server side language? Could you output signed_request as a javascript variable? Or is this not doable? I know you said you wanted a JS only solution, I'm just not sure why. If you can somehow output the signed_request to javascript then you could continue to do the parsing in javascript. – derickito Mar 02 '12 at 22:18
  • Hi derickito, yes I know I can parse it server side and pass it, however I'm currently working on a system that has few server side stuff, and would be great to have the page tab server more or less statically, eventually from a CDN. Also, I don't really understand why the page id/url should be so "secured", I don't see any security concern for Facebook to provide it unsecured for client-side scripting. – Simone Gianni Mar 04 '12 at 23:17
  • 1
    Simone, is not about it being secure. It's simply that facebook doesn't offer the page id in any other way. That's why there is no way around it. You can still use a CDN to serve the page tab you just need a page with some php (or other backend language) to catch the page id and then forward it to your CDN. – derickito Mar 05 '12 at 14:39
  • Hi derickito, yes, you are right. All the signer_request stuff is to make sure my app receives secure data from Facebook, using private app key etc... and I don't understand why Facebook should not give access to such a simple thing as "the current page" without all that security, that's all. I will implement the server side parsing at the end :( – Simone Gianni Mar 05 '12 at 14:55
  • 1
    If that's your beef, then you should simply file a feature request at http://developers.facebook.com/bugs. – CoderFromOuterSpace Mar 05 '12 at 15:49

2 Answers2

1

The signed_request (http://developers.facebook.com/docs/authentication/signed_request/) is part of the authResponse when calling FB.getLoginStatus() (https://developers.facebook.com/docs/reference/javascript/FB.getLoginStatus/)

{
    status: 'connected',
    authResponse: {
        accessToken: '...',
        expiresIn:'...',
        signedRequest:'...',
        userID:'...'
    }
}

And inside the signed Request is the page id.

However, for this to work you will need to authenticate the user to your app. But at least you can do it all client side without any need for server-side scripting. And another really important item to remember is that you'll need your app secret to parse the signed request, and exposing that critically secret item in your client-side could will be extremely risky!

If your requirements say you can neither auth the user nor process the signed request server-side, then you won't be able to get the page id client side.

For security's sake, process the signed_request server-side. :)

Happy coding!

DMCS
  • 31,720
  • 14
  • 71
  • 104
  • 1
    unfortunately, (as mentioned in your answer) you **need** the user to be connected to actually get the `signedRequest`! – ifaour Mar 03 '12 at 07:27
  • You can parse the signed request also without exposing the private key, simply you cannot verify it is signed, but you can still parse it. However, as you correctly said, either the user is signed in, or you can access it only server side :( – Simone Gianni Mar 05 '12 at 15:02
  • 1
    Yep, that's it. Either hope the user isn't spoofing your code by processing it client-side without using the private key, or expose the private key and process it correctly client-side, or just do it server-side where Facebook recommends. – DMCS Mar 05 '12 at 19:13
  • 1
    As asked in the original question "Is there a way to grab that information alone? Even if unsigned and insecure?". So this way is the way to get it done unsigned and insecure. – DMCS Mar 05 '12 at 20:02
  • 2
    @DMCS I'm giving you the bounty, cause your answer was pretty close to what I was expecting. – Simone Gianni Mar 08 '12 at 16:43
  • @SimoneGianni That signedRequest does not contain any informations about the page.To try an easier and working solution, have a look at my answer here: http://stackoverflow.com/questions/21887687/how-to-get-facebook-page-id-inside-page-fan-tab-using-facebook-javascript-sdk/23833163#23833163 – brainondev May 23 '14 at 15:37
-2

Using window.top.location you can get the complete URL of the page tab. You can then parse the ID from there!

Gaurav Ramanan
  • 3,655
  • 2
  • 21
  • 29
  • Unfortunately not : since window.top comes form www.facebook.com domain, while my iframe comes from my domain, the browser is not allowing mw to read window.top.location. It throws a security warning and returns a null location. – Simone Gianni Mar 05 '12 at 14:46
  • oops! Downvote :( It worked for our app. Maybe we did it during the authentication process... – Gaurav Ramanan Mar 05 '12 at 19:46
  • @DMCS Actually Im Upvoting it! – Gaurav Ramanan Mar 05 '12 at 20:08
  • 1
    I saw my question got downvoted, and then looked at your reputation (http://facebook.stackoverflow.com/users/950039/dream-factory?tab=reputation) tab and saw the - in there for my answer corresponding to the - I saw in my reputation tab. I see now that both of those entries are gone and cleared up. Thank you for fixing that up. Deleting my above comment. – DMCS Mar 05 '12 at 20:46
  • 2
    @DMCS nice tracing you have to apply on FBI ;) – Danish Iqbal Mar 07 '12 at 12:02