I am currently working on a Drupal powered site that uses the Drupal for Facebook module for authentication and node and comment sharing. And it does work without major problems, until I tested in IE9!
When a post is shared a Facebook dialog pops up and tries to ask for something, however almost immediately IE9 produces a popup in the bottom warning of content that Only Secure Content is displayed and give me a button that reads 'Show All Content' and a little 'x' mark to close the pop-up.
When I click the Show All Content button it forces the current page to reload and this cancels the Facebook sharing altogether. If I click the little 'x' to close the pop-up the Facebook window is still visible, but continues to load indefinitely.
I would like to circumvent this without having to tell users that they have to modify their security settings in IE9 (I haven't even figured them out yet). Is there a way I can publish to Facebook without this confirmation pop-up?
I have done in Firefox and it works like a charm. A) What are my options in regards to the browser? and B) what can I do in the Drupal for Facebook realm?
Thank you very much for your input.
Quick video illustration the problem on photobucket: http://s1125.photobucket.com/albums/l598/pluginbob/
Comments
Comment #1
Dave Cohen commentedThere was a problem with http vs https and now I can't recall exactly which RC had the fix. Try to reproduce with RC10 or .dev release.
Comment #2
el_reverend commentedHi Dave,
thanks a lot. A RC10 would be greatly appreciated.
Comment #3
el_reverend commentedHi Dave,
is there a way to force the facebook popup not to display? I thought I w read something about this somewhere, but can't remember. Would this solve the problem?
Comment #4
bonked commentedOk, trying to be bit more helpful
The issue I'm seeing is the exact same as the OP's.
The error from IE9 is:
SEC7111: HTTPS security is compromised by http://ourdomain.com/fb/channel?fb_xd_fragment
For some reason, it works like a champ if you set your fb account to only browse via HTTPS, but when you try it via HTTP it appears to be attempting to load the HTTPS version of all.js which causes a million XSS errors to generate as it trys to load the comment share box.
ANY help tracking this down would be appreciated. I see that you mention it had been fixed in the past, but I'm not finding anything in the queue or even finding where this change would need to be made.
I have tried forcing it use https://ourdomain.com/fb/channel but that breaks everything even though it is valid.
There is a special circle in hell for XSS exploiters.
Comment #5
Dave Cohen commentedIf you browse HTTPS, that is https://example.com/..., then the fb/channel URL should be HTTPS. Also the all.js URL should be HTTPS. So all of the URLs should be HTTPS if you start with HTTPS. Otherwise they will be regular http. Is this not the case?
Comment #6
bonked commentedI agree it should be the case, but it is not.
The problem is IE9's default security setting.
Just as when you edit your account settings, facebook will use https even if you have it not set it to use HTTPS for browsing, the post a comment to your wall iframe is served via https. This is blocked by default in IE (the default setting for mixed content is prompt), and prevents the interior of the comment iframe from displaying (view the video in the OPs post.)
Changing the setting to allow will make it work like every other browser. Pressing allow refreshes the page (killing the popup). For now, I've added a piece in hook_init which tells IE users to change their settings to https but there is a mess of nightmares in the way FB has rolled out https.
For example http://bugs.developers.facebook.net/show_bug.cgi?id=15880
Most people aren't offering their apps with HTTPS support so you end up with a real mess trying to track these things down.
Comment #7
khiminrm commentedSubscribe