Facebook JavaScript SDK 通过 HTTPS 加载非安全项目 [英] Facebook JavaScript SDK over HTTPS loading non-secure items

问题描述

我有一个使用 Facebook Connect.js 的 Facebook 应用程序.

我正在通过 HTTPS 运行我的应用程序.网站上的所有内容均来自 https://，但某些内容必须包含在 Facebook 的 Connect.js

中

问题是我收到警告消息，指出页面中存在不安全的项目.

我已经使用 Chrome 的开发者工具/网络标签检查了正在加载的脚本查看正在加载哪些文件以及从何处加载.

我能看到的唯一一个通过 HTTP 而不是通过 HTTPS 加载的文件是一个名为 http://static.ak.facebook.com/connect/canvas_proxy.php 的文件.>

如何强制此文件使用 HTTPS?

解决方案

TL;DR

在调用 FB.init 之前将 FB._https 设置为 true.像这样:

FB._https = true;FB.init({/* 你的应用程序 ID 和内容 */});

说明

如果您取消缩小 Facebook JavaScript SDK，您会看到它基本上是一个具有一堆属性的对象字面量.其中一个属性是 _https，它是一个布尔值.此属性确定在发出 API 请求时要使用的 URL 集(存储在 FB._domain 中).似乎 Facebook 为每种类型的 API 请求保留了两组 URL——一个安全 URL 和一个非安全 URL——然后使用一个名为 getDomain() 的开关函数来确定使用哪个提出请求时.

JavaScript SDK 导致安全警告的原因是 FB._https 属性的定义方式.这是截至 2011 年 8 月 24 日的当前定义:

_https: (window.name.indexOf('_fb_https') > -1)

显然，Facebook 认为如果 window.name 属性中包含 _fb_https，那么它一定是一个安全的应用程序.这显然是不正确的.真正的测试应该是这样的:

_https: window.location.protocol == "https:"

不幸的是，SDK 不是开源的，甚至没有很好的文档记录，所以我无法提交此更改的拉取请求:P.在短期内， 在调用 FB.init 之前手动将 FB._https 设置为 true 应该可以解决问题.

I have a Facebook application that uses the Facebook Connect.js.

I am running my application over HTTPS. All content on the site is delivered from https:// with the exception of some content that must be included within Facebook's Connect.js

The problem is that I get warning messages saying that there are non-secure items within the page.

I've checked what scripts are being loaded using Chrome's Developer Tools / Network tab to see what files are being loaded and from where.

The only one I can see that is being loaded over HTTP and not over HTTPS is a file called http://static.ak.facebook.com/connect/canvas_proxy.php.

How can I force this file to use HTTPS?

解决方案

TL;DR

set FB._https to true before calling FB.init. Like so:

FB._https = true;
FB.init({
    /* your app id and stuff */
});

Explanation

If you unminify the Facebook JavaScript SDK, you'll see that its basically an object literal with a bunch of properties. One of these properties is _https, which is a boolean. This property determines which set of URLs to use (stored in FB._domain) when making API requests. It seems as though Facebook keeps two sets of URLs for each type of API request -- a secure URL and and non-secure URL -- then uses a switch function called getDomain() to determine which to use when making requests.

The reason the JavaScript SDK causes security warnings is due to the way the FB._https property is defined. This is how it's currently defined as of 2011-8-24:

_https: (window.name.indexOf('_fb_https') > -1)

Apparently Facebook thinks that if the window.name property has _fb_https in it, then it must be a secure app. This is obviously incorrect. The real test should be something similar to this:

_https: window.location.protocol == "https:"

Unfortunately, the SDK is not open source or even well documented, so I can't submit a pull request for this change :P. In the short term, setting FB._https to true manually before calling FB.init should do the trick.

这篇关于Facebook JavaScript SDK 通过 HTTPS 加载非安全项目的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！