HTTPS URL Options for Facebook Tabs and App Canvases

Facebook has made several changes to the structure of the application registration form used to define Facebook apps and page tabs over the past couple of days.

This apparently overlaps with the introduction of the “secure browsing” option for Facebook users, which makes it possible to view pages using the https (SSL encrypted) protocol rather than http. The problem there lies with viewing an IFrame that points to unsecured content within a secured page. Most browsers would issue a warning under those circumstances, but the way Facebook deals with it is to not display tabs containing unencrypted content to those browsing in https mode. I first heard of this as an issue from users of my Facebook Tab Manager plugin who could not view their own pages because they were browsing in secure mode.

Now that users of the secure browsing feature have pulled all their hair out, Facebook has followed up by adding Secure Canvas URL and Secure Tab URL options to the app registration form. So provided you have an SSL encryption certificate installed on your server, you can simply specify the https versions of URLs as alternatives, and Facebook will serve those to browsers visiting the https version of the outer Facebook pages.

The example below is from my consulting work for Caspio, which provides both http and https versions of every application created with its cloud database service.

Secure canvas and tab URLs on the app registration form

On the other hand, this is the error message you get if you attempt to designate an https URL for your page tab without actually having an authenticated SSL certificate associated with the web hosting domain. So better to have site visitors see nothing than see this.

ugly error message
You can't fake SSL

The other change Facebook has made at more or less the same time (although I swear these secure URL options weren’t there when I looked yesterday), was to allow you to designate any URL as the location Facebook will pull from for the content of a business page tab.

Previously, Facebook assumed that a tab was somehow subordinate to an accompanying application. Therefore, it used to be that you had to make the canvas url a directory with an ending “/” and the tab URL had to be either a file name or a subdirectory beneath it. Now, you can have the same URL serve for both the tab and canvas versions of your application. It also becomes easier to use a URL using a query string as either a canvas or tab URL.

See: Facebook iFrame App / Page Tab Registration Just Got Easier

14 thoughts on “HTTPS URL Options for Facebook Tabs and App Canvases

  1. You need to obtain an SSL certificate and get it installed on your server (or work with your web host to set that up for you). This has become a practical requirement for hosting Facebook tab content because they're moving toward making https browsing the default

  2. Another option instead of buying an ssl certificate would be to try its a free service for Facebook tabs and ssl.

  3. David,
    Is there any way to setup a shared SSL with this plug in. I’ve been testing it on two of my WP sites on a share hosting account.
     Here’s the thing, to set up a shared SSL for my addon domains I have to link through a folder like this on bluehost: thinking something like this:
    However, the fbtab folder does not exist and I don’t understand how WP gets to the tab content.
    I can create individual html files in a separate folder, but I like the options in the tab manager. Any help on creating a shared SSL url to reach the the post content?

  4. I haven’t heard of anyone getting this to work with a shared SSL cert, but that doesn’t necessarily mean it’s impossible.

    First of all, can you navigate to that address through your browser, independently of an FB tab? If you can’t do it through the browser, it definitely won’t work in an iFrame.

  5. Thanks David, I tried several configuration of the url string that I found, but wasn’t able to get it to work in the browser.  The exact configuration may be host specific as well, based on what I’ve seen so far.

    There looks to be an option to set up a separate independent site and put the shared ssl in the WP general site settings urls and make the site completely secure. This would appear to be a way to serve the entire WP site in an iframe. I suppose a little css formatting magic or a FB tab theme applied you’ve got a mini site for your tab.  That’s more than I need to accomplish.

    For now I’ll just go with individual file pages or use one of the new Iframe apps.

  6. Found an alternate work around solution from Debra at
    “Using the Static HTML iFrame Tabs application to call a post that I
    created with the Facebook Tab Manager worked effortlessly. Creating a
    custom tab that included fan-only content (reveal tab) is as simple as
    creating two posts using the plugin and then using the Facebook
    application to call each as appropriate.”

    Ok, some of us don’t do this kind of call so it took a while to figure out, but was included in the faq of the app.


Leave a Reply