http/https blocked frame error when using FB secure browsing

  • Resolved padvinder95

    (@padvinder95)


    12 years, 6 months ago

    See the page at e.g. http://excelsior.gtbrinke.nl/lampionnenoptocht/

    Plugin settings: I only enabled the FB button in Posts, changed it to HTML5 (but the problem also occurs with the default xfbml) and enabled Add Hidden Debug Info.

    Problem: I have enabled “Secure Browsing” in my FaceBook security settings. Upon loading the FaceBook like button, I get a lot of security warnings/errors in my browser’s console log (see below). When disabling “Secure Browsing” on FaceBook, I do not get the errors.

    [Error] Blocked a frame with origin "http://www.facebook.com" from accessing a frame with origin "http://excelsior.gtbrinke.nl". Protocols, domains, and ports must match.
	global code (like.php, line 1)
[Error] Blocked a frame with origin "http://www.facebook.com" from accessing a frame with origin "https://www.facebook.com".  The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "https". Protocols must match. (x25)

    The first error occurs only once, but every time I move my mouse (especially when hovering over the buttons) and/or click the buttons, tens of these errors pop up. I think it even prevented the buttons loading in one case, although I can’t remember the settings and cannot reproduce that particular issue.

    Is there anything I—or you—can do to make the plugin more secure, or at least prevent these security errors to occur?

    http://ww.wp.xz.cn/plugins/nextgen-facebook/

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Author JS Morisset

    (@jsmoriss)

    12 years, 6 months ago

    NGFB Open Graph+ will match the protocol being used to fetch most/all external resources (javascript, videos, etc.) — except for Tumblr, which doesn’t have a valid ssl cert, so must always use http. If you use https on your website, then the javascript will be included using https as well.

    Let me have a look and see what I can do. Maybe I can add an option to force https for all button javascripts…

    js.

    Thread Starter padvinder95

    (@padvinder95)

    12 years, 6 months ago

    I realised the plugin tries to match the site’s method http/https. Problem is: FB’s secure browsing option overrides this, so either the plugin must somehow check whether this secure browsing option is enabled, or indeed ssl must be forced, possibly leading to different security issues?

    By the way, I do not regard this as a bug of the plugin per se: FaceBook’s own recommended code for a Like button (https://developers.facebook.com/docs/plugins/like-button/) has the same issue I believe.

    Plugin Author JS Morisset

    (@jsmoriss)

    12 years, 6 months ago

    I have secure browsing enabled in my Facebook profile, and don’t get any errors. Looking at your page, you *do* have an issue with clipping though. See “Why does the Facebook “Like” button flyout get clipped?” from the FAQ: http://ww.wp.xz.cn/plugins/nextgen-facebook/faq/

    js.

    Thread Starter padvinder95

    (@padvinder95)

    12 years, 6 months ago

    Hmm that is strange; are you logged into facebook and accessing the site using the same browser? I definitely get the errors in both Safari’s and Chrome’s console.

    PS I know there’s clipping and how to solve it—it’s only a testsite. Thanks for the pointer though. 🙂

    Plugin Author JS Morisset

    (@jsmoriss)

    12 years, 6 months ago

    Going to your webpage, and pressing the like/send buttons, I only get the following js/security/logging messages (Firefox):

    [11:22:30.345] "Invalid App Id: Must be a number or numeric string representing the application id."
[11:22:30.346] "The "fb-root" div has not been created, auto-creating"
[11:22:30.352] "FB.getLoginStatus() called before calling FB.init()."
[11:22:30.996] Unexpected value xMidYmid meet parsing preserveAspectRatio attribute. @ https://plusone.google.com/_/+1/fastbutton?size=standard&count=true&hl=en&url=http%3A%2F%2Fexcelsior.gtbrinke.nl%2Flampionnenoptocht%2F
[11:24:04.800] Empty string passed to getElementById(). @ https://fbstatic-a.akamaihd.net/rsrc.php/v2/y-/r/J-6AhHpOZxD.js:45
[11:24:26.179] Use of getAttributeNode() is deprecated. Use getAttribute() instead. @ https://fbstatic-a.akamaihd.net/rsrc.php/v2/yx/r/N8FbwxtkZ5b.js:134
[11:24:26.376] Empty string passed to getElementById(). @ https://fbstatic-a.akamaihd.net/rsrc.php/v2/yx/r/N8FbwxtkZ5b.js:46

    In chrome, showing All in the console, I get:

    Invalid App Id: Must be a number or numeric string representing the application id. all.js:56
The "fb-root" div has not been created, auto-creating all.js:56
FB.getLoginStatus() called before calling FB.init(). all.js:56
event.returnValue is deprecated. Please use the standard event.preventDefault() instead. jquery.js?ver=1.10.2:4

    I tried both, not logged in and logged in to Facebook – same messages.

    js.

    Plugin Author JS Morisset

    (@jsmoriss)

    12 years, 6 months ago

    Closing this thread since I can’t reproduce the issue, and no follow-up in last 4 days since my reply. If this is still an issue, and you need some help in problem solving, let me know.

    js.

    Thread Starter padvinder95

    (@padvinder95)

    12 years, 6 months ago

    Understood. I seem to have the problem only in my Safari web browser, so it must be something with the combination of security settings in Facebook and the browser. Thanks for taking the time to look into this; and also thanks for the excellent plugin of course. 🙂

Viewing 7 replies - 1 through 7 (of 7 total)

The topic ‘http/https blocked frame error when using FB secure browsing’ is closed to new replies.