I have an iframe where I display some of the user's Facebook information. When my server generates the content for the iframe, it checks for responses from Facebook indicating that the access-code has expired, and sets up the re-auth sequence to occur inside the iframe, where it will be the least noticeable to the user. If, however, the server detects that the user is not logged in, it will bounce out to a new browser window to lead the user through sign-up.
Lately, I've noticed my iframe tends to go blank. The issue appears to be that occasionally the Facebook APIs will report an access-code as expired when, in fact, the user is not even signed in. Attempting to renew the access-code causes Facebook to redirect to the login page. But the login page is served with 'X-Frame-Options:DENY' Header, so the browser just refuses to display anything in my iframe. I don't have any control over this process once I invoke the URL to renew the access code, and since the content in the iframe is on a different domain, the hosting page can't even detect when this situation has happened.
Anybody know of a solution to this? Ideally, the Facebook APIs would more accurately report on expired access tokens, but failing that, it would be nice if I could set the login page to be redirected to a new window.