Facebook — How Do Canvas Page Tabs Handle HTTPS?

2019-06-04 00:30发布

问题:

I'm working on a FB canvas application that will run in a page tab. The app will be taking card payments, so some pages will need to be secure. For users browsing Facebook on HTTPS, there are no problems. What I'm unsure about is how to handle those on HTTP.

I'm particularly concerned about the way in which Facebook proxies the iframe. If the user is on HTTP, but the iframe content is HTTPS, does that mean that the content travels unencrypted to FB first?

I'd be interested to know how the FB iframe proxy works, and to hear of anyone's experience with secure FB canvas apps.

Thanks in advance, Ross

回答1:

When you are going to setup your application you see "Page Tabs" section on "Facebook Integration" tab you need to set HTTP URL and secure URL both so when you wanna redirect user to secure URL you can easily navigate user there.



回答2:

On further examination of the FB canvas pages, it seems that the FB proxy exists to handle the POST submission to the canvas application. It contains an auto-submitting form which posts to the canvas URL. From what I can gather, it doesn't proxy any communication with the iframe after that.

Redirections to HTTPS do seem to work fine, and JQuery picks up the protocol from the page without trouble.