When facebook application use Secure Canvas?

Question

I have a Facebook application, and my host have selfsigned certificate. Usually thats not a problem, because my browsers used Canvas URL (with http), and everything worked fine. But some other browsers requires Secure Canvas URL (with https), and throw an exception if Secure Canvas URL is empty, or if my host has incorrect certificate.
So how the browser/Facebook decides when to use Canvas URL, and when Secure Canvas URL? Can I make them use Canvas URL only, without https?

Answer 1

If I'm correct applications have a setting like "October 2011" or something (I'll try to verify that for you). Maybe if you disable that one you can use http. The idea behind this implementation was to put every new applications on https.

Now I can understand for development purposes you want to try without https. Not every browser acts the same way with self-signed certificates (Chrome <-> FF).

In a business environment I strongly suggest you have a valid certificate.

EDIT : possible duplicate of your question http://facebook.stackoverflow.com/questions/7308348/facebook-canvas-apps-https-and-http

EDIT 2 : Apps on Facebook Authentication and Security Migration (HTTPS)

All Canvas and Page tab apps must convert to process signed_request (fb_sig will be removed) and obtain an SSL certificate for use in "Secure Canvas URL" and "Secure Page Tab URL" (unless you are in Sandbox mode). You must provide an SSL certificate in the Dev App settings to avoid having your app disabled.

So ... are you in sandbox mode?