Facebook sdk makes an insecure request to arbiter.php
I have a Facebook app that loads from my server as an iframe inside a fan club. I am using javascript sdk to handle facebook authentication.
When I access a fan in IE via http, the console displays the following https security error: SEC7111: HTTPS security compromised http://static.ak.facebook.com/connect/xd_arbiter.php?version=18
which makes the user see an "unsafe content" warning. I understand this has to do with the way IE handles cross-domain iframe loading.
More details:
- Happens when FB.init is called (xd_arbiter.php is requested by fb sdk when FB.init is called)
- This only happens in IE (specifically IE 9). No security warnings in Chrome or FF.
- Only happens when loading facebook via http, not https. I would have thought it would be the other way around ... so facebook has to load something over https even if the fan page is loaded over http.
What I have tried:
- Setting FB._https = true before calling init. (not working, deprecated)
- Make sure the sdk is uploaded via https (in channel.html).
- Make sure all requests I make to my server go through https.
Here is my init call:
FB.init({
appId : '{$appid}',
status : true,
cookie : false,
xfbml : true,
oauth : true,
channelUrl : '//my_url.com/channel.html'
});
And the content of channel.html:
<script src="//connect.facebook.net/en_US/all.js"></script>
So how can I get the sdk to load xd_arbiter.php via https so the warning goes away?
I understand that sdk is constantly evolving, but I first want to make sure I am not doing anything wrong.
thank
source to share
I suggest that you have all your assets over one protocol: HTTP or HTTPS.
Then for remote requests, do you consider creating PHP endpoints on your server, so your AJAX requests can, instead of calling cross-domain urls, call your PHP script that is on the same domain and then get PHP to curl up to do cross domain stuff?
source to share