Web Development

HTTPS URL Options for Facebook Tabs and App Canvases

Facebook has made several changes to the structure of the application registration form used to define Facebook apps and page tabs over the past couple of days.

This apparently overlaps with the introduction of the “secure browsing” option for Facebook users, which makes it possible to view pages using the https (SSL encrypted) protocol rather than http. The problem there lies with viewing an IFrame that points to unsecured content within a secured page. Most browsers would issue a warning under those circumstances, but the way Facebook deals with it is to not display tabs containing unencrypted content to those browsing in https mode. I first heard of this as an issue from users of my Facebook Tab Manager plugin who could not view their own pages because they were browsing in secure mode.

Now that users of the secure browsing feature have pulled all their hair out, Facebook has followed up by adding Secure Canvas URL and Secure Tab URL options to the app registration form. So provided you have an SSL encryption certificate installed on your server, you can simply specify the https versions of URLs as alternatives, and Facebook will serve those to browsers visiting the https version of the outer Facebook pages.

The example below is from my consulting work for Caspio, which provides both http and https versions of every application created with its cloud database service.

Secure canvas and tab URLs on the app registration form

On the other hand, this is the error message you get if you attempt to designate an https URL for your page tab without actually having an authenticated SSL certificate associated with the web hosting domain. So better to have site visitors see nothing than see this.

ugly error message
You can't fake SSL

The other change Facebook has made at more or less the same time (although I swear these secure URL options weren’t there when I looked yesterday), was to allow you to designate any URL as the location Facebook will pull from for the content of a business page tab.

Previously, Facebook assumed that a tab was somehow subordinate to an accompanying application. Therefore, it used to be that you had to make the canvas url a directory with an ending “/” and the tab URL had to be either a file name or a subdirectory beneath it. Now, you can have the same URL serve for both the tab and canvas versions of your application. It also becomes easier to use a URL using a query string as either a canvas or tab URL.

See: Facebook iFrame App / Page Tab Registration Just Got Easier

Leave a Reply