During facebook iframe application integration I ask for publish permissions - I have HTML which loads JS Connect library and asks for permission dialog..
FB_RequireFeatures(["XFBML"], function(){
FB.Facebook.init("_MY_API_KEY", "MY_PATH/xd_receiver.htm");
FB.Connect.showPermissionDialog('publish_stream');
However in IETester with IE7 i get weird errors
SecurityError: Error #2060: Security sandbox violation: ExternalInterface caller http://b.static.ak.fbcdn.net/rsrc.php/zDVWA/hash/bqv7w2jc.swf cannot access ..(MY APP PAGE)
at flash.external::ExternalInterface$/_initJS()
at flash.external::ExternalInterface$/addCallback()
at flashutils::PostMessage()
at XdComm()
As far as i understand xd file is intended for flash proxy that uses this ExternalInterface to communicate with facebook and show dialog. After i click OK, everything seems to work further.
Can anyone clarify what can cause this?
IETester isn't perfect, simply because it cannot fully emulate a proper IE environment. When things get tricky, it starts to give weird errors. And there isn't much trickier than a cross-domain Facebook iframe application.
I would find a real installation of IE7 and check if the problem exists there. If it doesn't, it's probably not worth your time. Microsoft provides a Virtual PC application that is excellent for this kind of thing, as well as many XP and Vista test images containing various versions of IE. They are large downloads, but I highly recommend them over IETester.
Related
I have this web application login page that calls FB.GetLoginStatus() from the Facebook JavaScript SDK after the document is done loading. This worked perfectly fine on all browsers (mobile included) and that was the happily ever after.
BUT, one day, out of plain nowhere, I notice that the SDK is failing to get the login status data of the Facebook user when the page is done loading. I take a look in the console and I see something around the lines of
Load denied by X-Frame-Options [massive link generated by the SDK]
does not permit framing.
Here's what bugs me: this works perfectly fine in Safari. I was introduced to the error when I opened the web app on Chrome (same error as quoted above, slightly different wording). I tried on Firefox and got the same thing. I spent a few hours trying to find a cause but failed and went to sleep.
I wake up the next day and miraculously it's now working on Chrome (?) without me having done any changes (?!). But, for some reason, the error persists only in Firefox now.
Does anyone have a clue what this might be? Something that Firefox does differently that Safari and Chrome don't?
A clue here is that I'm using a tunneling service (ngrok) and I don't have a signed certificate for it, thus I get the casual (you're entering an 'unsafe' website, blah blah blah). Perhaps Firefox is blocking the SDK because the connection is not secure?
Any insight on this would be marvelous. Thanks 🙂
OK, after fighting this for a few hours I finally found out what was bothering Firefox: the website site URL field in the app's Facebook Dashboard settings.
The issue wasn't even with ngrok or a missing signed certificate, it was the fact that the website in the settings had the production domain (.app) instead of the ngrok one I'm currently using for development (eu.ngrok.io).
The only reason I managed to pinpoint this back to the dashboard settings is because I have 2 Facebook apps, and the other one was working fine, so I imagined it might be a misconfiguration in the settings that was causing the issue (Facebook has a shitty standard in place for explaining/handling errors — it's like shooting in the dark until you hit something when using their SDK's).
What I don't understand here is why the heck only Firefox seems to have a problem with this setting being misconfigured or why the issue disappeared out of nowhere from one day to the next for Chrome. Anyways, if I managed to help anyone else fix anything similar with this thread than this headache has been worthwhile.
Peace out ✌🏽
My web app is failing when I test it in BrowserStack, it breaks in the detectizr.js file, where navigator.plugins is being accessed. When I look at the navigator object via dev tools, I can see that for plugins there is a message saying permission denied and want to confirm if this is why my web app breaks in IE Edge and no other web browser. Has anyone encountered this issue? I am wondering if perhaps it's only an IE14 Edge setting that needs to be changed.
I've seen this same issue in IE Edge on BrowserStack when accessing navigator.plugins. I am using socket.io-client.js which uses this check to see if Flash is enabled. I don't see this issue on my actual Windows computers, so I believe you are on the right track that it is something specific to BrowserStack.
sorry - i wanted to comment not answer, but i don't have a good enough reputation to comment yet. guess i'm not allowed to be helpful yet :(
I used to test whether a logged-in user could hit the Skype CDN to determine whether or not to show them UI elements:
https://cdn.dev.skype.com/uri/skype-uri.js
But it seems like, out of nowhere, their CDN just moved (breaking my code) to here:
http://www.skypeassets.com/i/scom/js/skype-uri.js
My page is https and I can change the url above to https a la:
https://www.skypeassets.com/i/scom/js/skype-uri.js
But because there is no valid certificate there I can't connect and the browser doesn't throw the "confirm security exception" message.
What are my options to determine if I can connect to Skype CDN from SSL?
They were made aware of it by a developer here over a month ago.
To sum it up:
They are now aware of the problem.
They're deploying a fix shortly.
It might still cause issues with Chrome.
Seems like you'll just have to hang tight, sorry.
Here is their full official response:
Hi,
Thanks for posting, URIs are supported by the Skype Developer team and you can find out how to contact us by visiting the contact us page on http://developer.skype.com.
I can confirm that using Skype URIs on secure connections is presently broken. We have identified a fix and hope to deploy it shortly. Its likely, however, that the fix will still not work on newer versions of the chrome browser due to a change in the way it handles iframes launched over secure connections.
Allen Smith
Skype Developer Support
Update
7 months later and they still haven't properly fixed it.
However, that same thread now has a solution (of sorts) in its last comment:
Copy skype-ui.js to your project and replace below code to:
this.SkypeClientDownloadUrl = this.httpProtocol +
"//secure.skype.com/download"; this.assetPrefix = this.httpProtocol +
"//secure.skypeassets.com/i/scom/images/skype-buttons/";
this.analyzeScript = this.httpProtocol +
"//secure.skypeassets.com/i/scom/js/" + "skype-analytics.js";
Not pretty by any means, but at least it seems to work.
I want to detect via JS if a user does or does not have a particular app installed.
I know about the app store tag that will pop the generic "download this app" if they don't have it installed. I'm not asking about that.
I have a concept, but it's incomplete. This would try to target both iPhone and Android devices.
Knowing that a link with a particular prefix can trigger an app to open:
Target a hidden iframe with JS to open a url prefixed to trigger that app
That page would fire a post message back to the parent if it loads, indicating the app was not opened.
If the app exists, the message would never be fired back to the parent, since it would open in the app.
Unfortunately, my client does not want app to open (or attempt to open) automatically, but simply know wether or not it's installed.
Thoughts? Blaring errors in my logic? Work-arounds? Existing solutions?
Thanks
There's likely no way to do this, because generally speaking you aren't allowed to poke around on a user's device from a web page. Even though what apps a user does or doesn't have installed isn't the most sensitive of personal information, it would still be a bit of a security/privacy concern to expose that information to scripts coming from the web. The app store tag is probably the closest you're going to get, since it's an official API to provide similar but protected functionality.
I can think of two ways to try to solve your problem, although none is especially good. Since iOS 6, you can use Smart App Banners to promote an app.
The most obvious solution would be to hide any actions from the user, e.g. by preventing the activity from showing up after issuing the URL request. I don't have any experience with this and cannot tell you to what extent it might be possible to hide it.
To be honest, I have no idea whether the second approach will work on mobile devices. It has been used for desktop applications a lot and allows inter-application communication - including communication between the browser and the app. However, the possibilities might be limited due to the usually high security restrictions on mobile devices. This is a highly theoretical suggestion as I am pretty sure it is unsuitable, whether it is possible or not.
Your app must provide a tiny HTTP server on an unused but fixed port. Your JavaScript code can then use JSONP to communicate with the app (assuming the security restrictions of the browser don't prevent this). If communication fails, you may assume the app is not installed.
Before anyone attempts to criticize this approach, let me say that this is a theoretical possibility, might be unstable and is unsuitable for most apps. The efforts of running an HTTP server are far too high for such a secondary task.
I was going through a simple HTML5/CSS3 tutorial to build a basic website.I closely followed the tutorial to make myself understand the newly added tags use and developed what was taught online step-by-step.
However, the demo of the site I was creating worked fine on Internet-Explorer8 but when I completed my own development, though it worked fine in Chrome and Firefox but it didn't pick any design when I tried run it on Internet-Explorer8.
This however I understand is due to old versions of IE's not supporting newly added elements of HTML5 thus added a script HTML5shiv.js.
This should work fine however IE8 kept popping up the dialog box displaying that : It blocked some Active Content due to security reasons and if required, you can allow them to dosplay. This was never the case with the demo version of the website that I was making.
However, when I allowed the ActiveX controls in the IE8, everything worked fine.
The issue with me now is that if any of my website's user has disabled ActiveX-Controls in IE6,7 or 8, then my website would loose it''s designed structure. How can I get through it?
I assume you are loading html5shiv.js from a separate domain, if so try downloading it and hosting it with the rest of your website. This should solve your problem.
If you're developing your website locally (i.e. directly opened from a file on your computer), that can also cause this problem.
Update to users comment:
Hosting it should solve it. Instead of buying hosting though you could simply host on your localhost, to do that look into using something such as WAMP, or MAMP for Mac.
Alternatively, you can add <!-- saved from url=(0017)http://localhost/ --> to the top of your document which should disable the security policy. You can read more about that here.