I have a Facebook app which gets loaded from my server as an iframe inside a facebook fanpage. I use the javascript sdk to handle the facebook authentication.
When I access the fanpage in IE through http, then the console shows the following https security error: SEC7111: HTTPS security is compromised by http://static.ak.facebook.com/connect/xd_arbiter.php?version=18
which causes the user to see the 'insecure content' warning. I understand it has to do with the way IE handles the cross-domain iframe loading.
More details:
- Happens when FB.init is called (xd_arbiter.php is requested by the fb sdk when FB.init is called)
- Happens only in IE (specifically IE 9). No security warnings in Chrome or FF.
- Happens only when facebook is loaded through http, not https. I would have thought it would be the other way around...so facebook must be loading something over https even though the fanpage is loaded over http.
What I've tried:
- Setting FB._https = true before calling init. (does not work, deprecated)
- Made sure the sdk is loaded through https (in channel.html).
- Made sure all requests I do to my server is through https.
Here is my call to init:
FB.init({
appId : '{$appid}',
status : true,
cookie : false,
xfbml : true,
oauth : true,
channelUrl : '//my_url.com/channel.html'
});
And the content of channel.html:
<script src="//connect.facebook.net/en_US/all.js"></script>
So how can I force the sdk to load the xd_arbiter.php over https so the warning goes away?
I understand the sdk is constantly evolving, but I first want to make sure I'm not doing something wrong.
Thanks