Facebook上的JavaScript SDK通过HTTPS加载非安全项目 [英] Facebook JavaScript SDK over HTTPS loading non-secure items

问题描述

我有一个使用 Facebook Connect.js 的Facebook应用程序。

我通过HTTPS运行我的应用程序。网站上的所有内容均从 https：// 发送，但某些内容必须包含在Facebook的 Connect.js

问题是我收到警告消息，表示页面中有不安全的项目。

我已经使用 Chrome 的开发者工具/网络标签查看了哪些脚本正在加载查看正在加载哪些文件以及从哪个文件。

我可以看到的唯一一个是通过HTTP加载，而不是通过HTTPS加载的是一个名为 http://static.ak.facebook.com/connect/canvas_proxy.php 。

如何强制此文件使用HTTPS？

解决方案

TL; DR

<在调用 FB.init FB._https 到 true C>。像这样：

  FB._https = true; 
 FB.init（{
 / *您的应用程序ID和内容* / 
}）; 
  

说明

如果您取消了Facebook JavaScript SDK的限制，您将看到它基本上是一个具有一系列属性的对象文字。这些属性之一是 _https ，它是一个布尔值。此属性确定在进行API请求时使用哪个URL（存储在 FB._domain ）中。似乎Facebook为每种类型的API请求保留两组URL - 一个安全的URL和非安全的URL - 然后使用一个名为的开关函数getDomain（）确定在请求时使用哪一个。

JavaScript SDK导致安全警告的原因是由于 FB._https 属性被定义。这是它目前的定义从2011-8-24：

_https：（window.name.indexOf（'_ fb_https'）> -1）

显然Facebook认为如果 window.name code> _fb_https ，那么它必须是一个安全的应用程序。这显然是不正确的。真正的测试应该是这样的：

_https：window.location.protocol ==https：

不幸的是，SDK不是开源的，甚至没有文档记录，所以我不能提交这个更改的提请请求：P。在短期内，在调用之前，将 FB._https 设置为 true FB.init 应该做的伎俩。

I have a Facebook application that uses the Facebook Connect.js.

I am running my application over HTTPS. All content on the site is delivered from https:// with the exception of some content that must be included within Facebook's Connect.js

The problem is that I get warning messages saying that there are non-secure items within the page.

I've checked what scripts are being loaded using Chrome's Developer Tools / Network tab to see what files are being loaded and from where.

The only one I can see that is being loaded over HTTP and not over HTTPS is a file called http://static.ak.facebook.com/connect/canvas_proxy.php.

How can I force this file to use HTTPS?

解决方案

TL;DR

set FB._https to true before calling FB.init. Like so:

FB._https = true;
FB.init({
    /* your app id and stuff */
});

Explanation

If you unminify the Facebook JavaScript SDK, you'll see that its basically an object literal with a bunch of properties. One of these properties is _https, which is a boolean. This property determines which set of URLs to use (stored in FB._domain) when making API requests. It seems as though Facebook keeps two sets of URLs for each type of API request -- a secure URL and and non-secure URL -- then uses a switch function called getDomain() to determine which to use when making requests.

The reason the JavaScript SDK causes security warnings is due to the way the FB._https property is defined. This is how it's currently defined as of 2011-8-24:

_https: (window.name.indexOf('_fb_https') > -1)

Apparently Facebook thinks that if the window.name property has _fb_https in it, then it must be a secure app. This is obviously incorrect. The real test should be something similar to this:

_https: window.location.protocol == "https:"

Unfortunately, the SDK is not open source or even well documented, so I can't submit a pull request for this change :P. In the short term, setting FB._https to true manually before calling FB.init should do the trick.

这篇关于Facebook上的JavaScript SDK通过HTTPS加载非安全项目的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！