Saturday, February 19, 2011

Using Facebook Login on 3rd Party HTTPS pages

Image Courtsy: http://www.software-latest.com

Why the hell this post ....
As Facebook suggests, it is very simple to use JavaScript SDK of Facebook on HTTPS pages.
Documentation is available under SSL heading on JavaScript SDK page of Facebook developers documentation. It says:
Facebook Connect is also available over SSL. You should only use this when your own page is served over https://. The library will rely on the current page protocol at runtime. The SSL URL is the same, only the protocol is changed:
https://connect.facebook.net/en_US/all.js
However, while documentation says this so simple, life of developers are not that simple. Developers are fighting hard for years for complete SSL support. You will find so many forum discussions and bugs reporting  that some or the other resource is being loaded on HTTP by Facebook JavaScript client library during the login process.

In such situation (loading HTTP resource on HTTPS page), browsers show a warning to the user. While this warning is non-intrusive in most browsers, Internet Explorer throws the warning popup on the user's face. Adding  to that the statement on the warning popup is written in the way that if users respond to the warning saying 'yes', resources loaded on HTTP are not shown.

Here is scenario in which the problem elevates itself to the highest level:

  1. There is an 'FBApp' that powers an iframe widget for 'Third Party Sites'.
  2. Best (or may be the only) page where the FBApp widget can be placed on Third Party Website is available only on HTTPS.
  3. To complete a transaction in FBApp widget, user must login using Facebook Login.
  4. Studies suggest that most of the people like to complete the transaction with FBApp in the iframe but not in a new window.
FBApp includes all its resources (including Facebook JavaScript lib) over HTTPS but Facebook lib includes some resource over HTTP resulting in warning on the face in IE that is still being used by more than 60% of the users. Most of the users seeing the warning, go away from that point. Looking at this behavior, Third Party Site eliminates the FBApp widget from the page.

Now, when the problem is formulated well.....the post about it makes sense

But everything can not be said in single post.......

Stay Tuned ....
#Cheers