Facebook:不安全的 JavaScript 问题(document.domain 值应该相同) [英] Facebook: Unsafe JavaScript issue (document.domain values should be same)

问题描述

Mine 是一个基于画布的 FB 应用程序.在 Chrome 和 Firefox 上都遇到问题(虽然通常是 Chrome):

Mine is a FB App based on canvas. Facing an issue both on Chrome and Firefox, (although usually Chrome):

1.当我在新的隐身 Chrome 窗口 (https://apps.facebook.com/myfbappnamespace/)，下面的错误只是第一次出现，当我刷新页面时，错误消失了(大多数情况下)

1.When I hit my approved fb app secure URL on a new incognito Chrome window (https://apps.facebook.com/myfbappnamespace/), the below error comes only for the first time, and when I refresh the page the error is gone (most of the times)

about:blank 处的页面显示来自http://static.ak.facebook.com/connect/xd_arbiter.php?version=18#cb=f2e4fe7b...os.com%2Ff4aeadb2&domain=www.mydomain.com&relation=parent&error=unknown_user.

The page at about:blank displayed insecure content from http://static.ak.facebook.com/connect/xd_arbiter.php?version=18#cb=f2e4fe7b…os.com%2Ff4aeadb2&domain=www.mydomain.com&relation=parent&error=unknown_user.

不安全的 JavaScript 尝试使用 URL 访问框架http://www.mydomain.com/control/myfacebookapp/ 来自带有 URL 的框架http://static.ak.facebook.com/connect/xd_arbiter.php?version=18#cb=f2e4fe7b...os.com%2Ff4aeadb2&domain=www.mydomain.com&relation=parent&error=unknown_user.请求访问的框架将document.domain"设置为facebook.com"，但被访问的框架没有.两者都必须设置document.domain"到相同的值以允许访问.
xd_arbiter.php:18

Unsafe JavaScript attempt to access frame with URL http://www.mydomain.com/control/myfacebookapp/ from frame with URL http://static.ak.facebook.com/connect/xd_arbiter.php?version=18#cb=f2e4fe7b…os.com%2Ff4aeadb2&domain=www.mydomain.com&relation=parent&error=unknown_user. The frame requesting access set 'document.domain' to 'facebook.com', but the frame being accessed did not. Both must set 'document.domain' to the same value to allow access.
xd_arbiter.php:18

不安全的 JavaScript 尝试使用 URL 访问框架http://www.mydomain.com/control/myfacebookapp/ 来自带有 URL 的框架http://static.ak.facebook.com/connect/xd_arbiter.php?version=18#cb=f2e4fe7b...os.com%2Ff4aeadb2&domain=www.mydomain.com&relation=parent&error=unknown_user.请求访问的框架将document.domain"设置为facebook.com"，但被访问的框架没有.两者都必须设置document.domain"到相同的值以允许访问.xd_arbiter.php:18

Unsafe JavaScript attempt to access frame with URL http://www.mydomain.com/control/myfacebookapp/ from frame with URL http://static.ak.facebook.com/connect/xd_arbiter.php?version=18#cb=f2e4fe7b…os.com%2Ff4aeadb2&domain=www.mydomain.com&relation=parent&error=unknown_user. The frame requesting access set 'document.domain' to 'facebook.com', but the frame being accessed did not. Both must set 'document.domain' to the same value to allow access. xd_arbiter.php:18

2.当我尝试 http url(http://apps.facebook.com/myfbappnamespace/) 时，控制台中显示的错误是:

2.When I try the http url(http://apps.facebook.com/myfbappnamespace/), the error shown in console is:

不安全的 JavaScript 尝试使用 URL 访问框架http://apps.facebook.com/myfbappnamespace/ 来自带有 URL 的框架https://s-static.ak.facebook.com/connect/xd_arbiter.php?version=18#channel=…Fcontrol%2Ffacebookappchannelurl%3Ffb_xd_fragment%23xd_sig%3Df23e84e85c%26.请求访问的帧具有https"协议，该帧是访问的协议为http".协议必须匹配.

Unsafe JavaScript attempt to access frame with URL http://apps.facebook.com/myfbappnamespace/ from frame with URL https://s-static.ak.facebook.com/connect/xd_arbiter.php?version=18#channel=…Fcontrol%2Ffacebookappchannelurl%3Ffb_xd_fragment%23xd_sig%3Df23e84e85c%26. The frame requesting access has a protocol of 'https', the frame being accessed has a protocol of 'http'. Protocols must match.

现在，当我登录我的 fb 帐户查看这些错误会发生什么时，它们消失了，只是偶尔出现.我知道我在查询中使用了大部分时间"和有时"，但这正是我正在发生的事情.我还搜索了论坛并意识到 fb 已经解决了这个应该是 chrome 特定的旧问题.我已经确保我的 FB.init 和其他调用是 location.protocol 特定的值.还在画布 url (http) 和安全画布 url (https) 中配置了正确的值.还尝试了两种设置:帐户设置 -> 安全 -> 安全浏览 ->(启用和禁用)

Now when I login to my fb account to see what happens with these errors, they are gone, again only sometimes. I know that I am using "most of the times" and "sometimes" here in my query but that is exactly what is happening with me. I have also searched forums and realize that fb has already fixed this old issue which was supposed to be chrome specific. I have made sure that my FB.init and other calls are location.protocol value specific. Also configured correct values in canvas url (http) and secure canvas url (https). Also tried with both the settings: Account Settings -> Security -> Secure Browsing -> (Enabled as well as Disabled)

如果我在某处遗漏了什么，有人可以帮忙吗?

Can somebody please help if I am missing something somewhere?

推荐答案

有很多可能的问题.尝试使用以下解决方案之一:

There are a lot of possible issues. Try with one of these solutions:

• 协议必须相同(因此尝试访问 iframe 的页面必须与提供 iframe 的站点具有相同的协议)，因此如果您在沙盒模式(http 而不是 https)下测试您的应用程序，请禁用测试帐户的安全浏览"模式
• channelUrl on FB.init() (见下面的代码)
• 启用 apache 的 headers mod 并将以下几行放在您的 .htaccess 中
• 将 <div id="fb-root"></div> 放在 body 标签之后，如 fb 文档中所述:https://developers.facebook.com/docs/reference/javascript/
• 尝试在用户操作(例如单击登录按钮)之后放置所有自动登录代码
• 从 Canvas URL(在应用程序→设置中)中删除尾部斜杠，例如 http://yoursite.com?
• 编辑您的 <html> 标签，如下所示:<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="https://www.facebook.com/2008/fbml">

• protocols must be the same (so the page that attempts to access the iframe must have the same protocol of the site that deliver the iframe), so if you are testing your app in sandbox mode (http instead of https), disable the "Secure browsing" mode of your testing account
• channelUrl on FB.init() (see code below)
• enable the headers mod of apache and put the below lines in your .htaccess
• put the <div id="fb-root"></div> after the body tag as explained in the fb doc here: https://developers.facebook.com/docs/reference/javascript/
• try to put all the automated login code after a user action (like a click on a login button)
• remove the trailing slash from the Canvas URL (in app→settings) like http://yoursite.com?
• edit your <html> tag like this: <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="https://www.facebook.com/2008/fbml">

.htaccess 的代码

<IfModule mod_headers.c>
    Header set Access-Control-Allow-Origin "*"
</IfModule>

渠道问题的代码:

FB.init({
    appId: '1234567890',
    status: true,
    cookie: true,
    xfbml: true,
    channelUrl : '//yoursite.com/channel.html'
});

您的服务器提供的 channel.html 应包含这一行:

The channel.html delivered by your server should contain this single line:

<script src="//connect.facebook.net/en_US/all.js"></script>

编辑

关于您的第一个问题:

The page at about:blank displayed insecure content from http://static.ak.facebook.com/connect/xd_arbiter.php?version=18#cb=f2e4fe7b…os.com%2Ff4aeadb2&domain=www.mydomain.com&relation=parent&error=unknown_user.

这是用于测试条件的预期异常 - 这没有副作用，所以不要在意.

This is an expected exception that is used to test for a condition - this has no side effects so don't care about it.

请参考这个问题:不安全的 JavaScript 尝试使用 URL 访问框架:域、协议和端口必须匹配.

这篇关于Facebook:不安全的 JavaScript 问题(document.domain 值应该相同)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！