CODEWITHSUNDEEP
facebookgoogle-chromesslfacebook-apps
antriver
antriver

Reputation: 890

Link to an insecure page from secure canvas page no longer working in Chrome

It looks like a recent Chrome update broke this by tightening mixed content (https/http) security policies, and I read that Firefox plans to do this too.

Here's the issue:

Say I set the Secure Canvas URL of my app to https://themediadudes.com/httpstest/

That page contains only a link to Google:

<a href="http://www.google.com">Google</a>

When I view the app on Facebook and click the link, nothing happens. An error appears in the console:

[blocked] The page at https://apps.facebook.com/myappname/ ran insecure content from http://www.google.com/.

I understand that having insecure scripts/stylesheets etc. on an https page isn't allowed, but a simple link to a different website shouldn't be blocked right?. I assume Facebook is running some scripts which do something with the page before sending the user there? Which causes the error.

If I set the target of the link to _top or _blank it works.

Ideally I want to be able to use a javascript window.location to send the user to this insecure URL, or header('Location: blah'); in PHP. But neither of those work either. And it looks like this is a bigger problem than that if even a simple link to an insecure URL doesn't work.

I thought it may be caused by whatever makes the 'fluid' canvas width and canvas height settings work. But I tried setting both width and height to fixed and the problem still happens.

Does anybody have a solution or workaround, or can anybody at least shed some more light on this? Thanks

Upvotes: 1

Views: 1278

Answers (1)

David Robertson
David Robertson

Reputation: 499

I've been struggling with a similar issue and the answer seems to be that it is not possible at all to reference any non-https resources from within your page tab app. Of course if a google link is all you require then that is simply resolved (as google has a https version of course) but referencing external non-https sites will always turn up this warning/block in chrome

Additionally, I should add that I have noticed that the 'page tab URL' section requires a url to a particular page, whereas the 'canvas URL' needs to link to a directory. This does not seem to be documented and will also give the insecure content message in chrome and prevent the page tab app from loading

Upvotes: 1

Related Questions