Facebook JavaScript SDK 通过 HTTPS 加载非安全项目
我有一个使用 Facebook Connect.js 的 Facebook 应用程序。
我正在通过 HTTPS 运行我的应用程序。网站上的所有内容均从 https:// 提供,但某些内容必须包含在 Facebook 的 Connect.js 中。
问题是我收到警告消息:页面内存在不安全的项目。
我已使用 Chrome 的开发者工具/网络选项卡检查了正在加载的脚本,以了解哪些脚本文件正在加载以及从哪里加载。
我能看到的唯一一个通过 HTTP 而不是通过 HTTPS 加载的文件是一个名为 http://static.ak.facebook.com/connect/canvas_proxy.php 的文件。
如何强制该文件使用 HTTPS?
I have a Facebook application that uses the Facebook Connect.js.
I am running my application over HTTPS. All content on the site is delivered from https:// with the exception of some content that must be included within Facebook's Connect.js
The problem is that I get warning messages saying that there are non-secure items within the page.
I've checked what scripts are being loaded using Chrome's Developer Tools / Network tab to see what files are being loaded and from where.
The only one I can see that is being loaded over HTTP and not over HTTPS is a file called http://static.ak.facebook.com/connect/canvas_proxy.php.
How can I force this file to use HTTPS?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(8)
TL;DR
在调用
FB.init之前将FB._https设置为true。就像这样:解释
如果您取消 Facebook JavaScript SDK 的缩小,您会发现它基本上是一个带有一堆属性的对象文字。这些属性之一是
_https,它是一个布尔值。此属性确定发出 API 请求时要使用哪一组 URL(存储在FB._domain中)。 Facebook 似乎为每种类型的 API 请求保留了两组 URL(安全 URL 和非安全 URL),然后使用名为getDomain()的切换函数来确定使用哪一个提出请求时。JavaScript SDK 导致安全警告的原因在于
FB._https属性的定义方式。这是截至 2011 年 8 月 24 日的当前定义方式:_https: (window.name.indexOf('_fb_https') > -1)显然 Facebook 认为如果
window. name属性中有_fb_https,那么它一定是一个安全的应用程序。这显然是不正确的。真正的测试应该是类似这样的:_https: window.location.protocol == "https:"不幸的是,SDK 不是开源的,甚至没有很好的文档记录,所以我不能'不要为此更改提交拉取请求:P。从短期来看,在调用FB.init之前手动将FB._https设置为true应该可以解决问题。TL;DR
set
FB._httpstotruebefore callingFB.init. Like so:Explanation
If you unminify the Facebook JavaScript SDK, you'll see that its basically an object literal with a bunch of properties. One of these properties is
_https, which is a boolean. This property determines which set of URLs to use (stored inFB._domain) when making API requests. It seems as though Facebook keeps two sets of URLs for each type of API request -- a secure URL and and non-secure URL -- then uses a switch function calledgetDomain()to determine which to use when making requests.The reason the JavaScript SDK causes security warnings is due to the way the
FB._httpsproperty is defined. This is how it's currently defined as of 2011-8-24:_https: (window.name.indexOf('_fb_https') > -1)Apparently Facebook thinks that if the
window.nameproperty has_fb_httpsin it, then it must be a secure app. This is obviously incorrect. The real test should be something similar to this:_https: window.location.protocol == "https:"Unfortunately, the SDK is not open source or even well documented, so I can't submit a pull request for this change :P. In the short term,settingFB._httpstotruemanually before callingFB.initshould do the trick.所以这会给你相同的协议链接:
So this would give you the same protocol link:
几天前我遇到了这个问题。我的整个应用程序都使用 HTTPS,而我的问题是仅通过 HTTP 加载个人资料图片...我的快速而肮脏的解决方法是手动替换所有个人资料图片的域名。例如,
您必须检查并查看您的个人资料图片的 URL。我假设他们不是来自完全相同的地方。查看您自己的个人资料图片的 URL,并替换我在
https://fbcdn-profile-a.akamaihd.net上的 URL。仔细查看 Facebook 文档后:
我发现了一个名为
return_ssl_resources的附加参数,当使用true传递时,它会使用 HTTPS 返回个人资料图片。它就像一个魅力,我不再收到混合的安全警告。我希望这有帮助!
I came across this problem a few days ago. My entire application was using HTTPS and my issue was only profile pictures being loaded over HTTP... My quick and dirty fix was to manually replace all the profile pictures' domain names. For example,
You'll have to check and see what URL your profile pictures have. I'd assume they are not coming from exactly the same place. View the URL of your own profile picture and substitute for what I have at
https://fbcdn-profile-a.akamaihd.net.After looking harder at the Facebook documentation:
I found an additional parameter called
return_ssl_resources, and when passed withtrue, it returns profile pictures using HTTPS.It worked like a charm, and I stopped getting the mixed security warnings. I hope this helps!
除了 Ralph Holzmann 和 Simon Bächler 之外,以下是针对 FB._https 单独无法解决问题的情况提供的更有效的解决方案;
另请参见 FB.Arbiter.inform() { ... FB.getDomain((d?'https_':'')+'staticfb',true) ... } 其中 d=window!=window.parent&& ...截至 2012 年 2 月 10 日。
Adding to Ralph Holzmann and Simon Bächler, the following is an even harder-hitting fix for when FB._https alone does not do the trick;
See also FB.Arbiter.inform() { ... FB.getDomain((d?'https_':'')+'staticfb',true) ... } where d=window!=window.parent&&... as of 2012-Feb-10.
它看起来像 FB._https 已被替换为:
It look like FB._https as been replaced by :
这似乎是由 Facebook bug 引起的。
另请参阅此论坛帖子。
该错误已于 3/16 标记为已解决,但我仍在观察对 canvas_proxy.php 的非 https 请求。希望这个问题很快就能得到真正的修复......
This seems to be caused by this Facebook bug.
Also see this forum post.
That bug was marked as resolved on 3/16, but I am still observing non-https requests to canvas_proxy.php. Hopefully this will be fixed for real soon...
顺便说一句,如果您的 HTML 页面上有如下所示的文档类型声明,则参考访问“http://www.w3.org”也会在 Internet Explorer 中显示内容警告错误。
On a sidenote, if you have doc-type declarations on your HTML page like the folllowing, the reference to "http://www.w3.org" can also bring up the content warning error in Internet Explorer.
我遇到了类似的问题(fb 评论在安全模式下不起作用)。这解决了这个问题 - 只需通过 https 引用 javascript 文件:
或者不指定适用于两者的方案:
I was having a similar problem (fb comments not working in secure mode). This solves it - just reference the javascript file via https:
Or don't specify the scheme to work for both: