Facebook Canvas中的Web App/X-Frame-Options拒绝案例 [英] Web App in Facebook Canvas / X-Frame-Options Deny Case
问题描述
我知道有几条与我提到的主题相关的条目,但是在检查了大多数条目之后,我找不到与我遇到的类似案例.
我正在使用Spring MVC框架实现一个简单的Web应用程序.Web应用程序本身运行正常.然后,我尝试将应用程序的某些部分定义为Facebook应用程序,其中某些jsp将显示在Facebook的画布中.
在与Facebook应用程序定义相关的Spring控制器部分中-通过在Facebook应用程序管理页面中定义的安全画布url-中,我检查了从Facebook收到的POST消息中是否包含"signed_request"参数,如果该参数不包含"oauth_token""值,然后我尝试以以下方式重定向到Facebook身份验证流程:
重定向: https://www.facebook.com/dialog/oauth?client_id =#1& redirect_uri =#2
(#1是我的应用程序ID的占位符,#2是我希望Facebook在成功身份验证后重定向的URL的占位符,该URL与我自己的Web应用程序相关)
在当前情况下,我观察到的是我打开了应用程序显示的Facebook页面,通过Facebook获得了HTTP POST,将重定向返回到Facebook端,该浏览器发出了URL为
https://www.facebook.com/dialog/oauth?client_id =#1& redirect_uri =#2
但是在此之后,它会收到如下错误:
拒绝显示">://www.facebook.com/dialog/oauth?client_id=......&redirect_uri= .....",因为它将"X-Frame-Options"设置为"DENY".
我首先以为是我的环境将X-Frame-Options标头值返回为DENY,所以我更改了Spring安全配置,但没有任何改变.
然后只是尝试,我将redirect_uri定义为Facebook中应用程序的页面URL,但没有任何变化.
我假设您正在尝试在iframe中进行重定向,而Facebook不允许在iframe中访问其内容.重定向顶部窗口或(使用更好的方法)使用JavaScript SDK进行登录.
有关JS SDK的更多信息:
- https://developers.facebook.com/docs/javascript/quickstart/
- http://www.devils-heaven.com/facebook-javascript-sdk-login/
I know there are several entries related to the topic I mentioned, but after I checked most of them I couldn't find the a similar case that I encountered.
I am implementing a simple web application using Spring MVC framework. The web application itself is working OK. Then I tried to defined some parts of the application as a Facebook application in which certain jsp's will be displayed in Facebook's canvas.
In the Spring's Controller part related to the Facebook application definition - through secure canvas url defined in Facebook app admin page -, I checked the received POST message from the Facebook for the "signed_request" parameter, if it does not include "oauth_token" value, then I try to redirect to Facebook authentication flow as:
redirect:https://www.facebook.com/dialog/oauth?client_id=#1&redirect_uri=#2
(#1 is placeholder for my app's id, and #2 is placeholder for the url that I want Facebook redirect after a successfull authentication, an url related to my own web application)
In my current situation, what I observe is I opened the Facebook page that the application presented, got an HTTP POST via Facebook, returned the redirect to Facebook side, the browser that makes an HTTP GET request with url as
https://www.facebook.com/dialog/oauth?client_id=#1&redirect_uri=#2
But after that it receives an error like:
Refused to display 'https://www.facebook.com/dialog/oauth?client_id=......&redirect_uri=.....' in a frame because it set 'X-Frame-Options' to 'DENY'.
I first thought it's my environment that returns the X-Frame-Options header value as DENY, I changed the Spring security configuration but nothing changes.
Then just for try, I defined the redirect_uri as my application's page url in Facebook but nothing changes.
I assume you are trying to redirect inside the iframe, and Facebook does not allow their content to be accessed in an iframe. Redirect the top window or (much better) use the JavaScript SDK for login.
More information about the JS SDK:
- https://developers.facebook.com/docs/javascript/quickstart/
- http://www.devils-heaven.com/facebook-javascript-sdk-login/
这篇关于Facebook Canvas中的Web App/X-Frame-Options拒绝案例的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
