Facebook: Unsafe JavaScript issue (document.domain values should be same)
There are a lot of possible issues. Try with one of these solutions:
- protocols must be the same (so the page that attempts to access the iframe must have the same protocol of the site that deliver the iframe), so if you are testing your app in sandbox mode (http instead of https), disable the "Secure browsing" mode of your testing account
- channelUrl on
FB.init()(see code below) - enable the headers mod of apache and put the below lines in your .htaccess
- put the
<div id="fb-root"></div>after the body tag as explained in the fb doc here: https://developers.facebook.com/docs/reference/javascript/ - try to put all the automated login code after a user action (like a click on a login button)
- remove the trailing slash from the Canvas URL (in app→settings) like
http://yoursite.com? - edit your
<html>tag like this:<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="https://www.facebook.com/2008/fbml">
Code for .htaccess
<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin "*"
</IfModule>
Code for channels issue:
FB.init({
appId: '1234567890',
status: true,
cookie: true,
xfbml: true,
channelUrl : '//yoursite.com/channel.html'
});
The channel.html delivered by your server should contain this single line:
<script src="//connect.facebook.net/en_US/all.js"></script>
EDIT
About your first issue:
The page at about:blank displayed insecure content from http://static.ak.facebook.com/connect/xd_arbiter.php?version=18#cb=f2e4fe7b…os.com%2Ff4aeadb2&domain=www.mydomain.com&relation=parent&error=unknown_user.
This is an expected exception that is used to test for a condition - this has no side effects so don't care about it.
Please refer to this question: Unsafe JavaScript attempt to access frame with URL: Domains, protocols and ports must match.
Comments
-
Bhavesh Agarwal about 4 years
Mine is a FB App based on canvas. Facing an issue both on Chrome and Firefox, (although usually Chrome):
1.When I hit my approved fb app secure URL on a new incognito Chrome window (https://apps.facebook.com/myfbappnamespace/), the below error comes only for the first time, and when I refresh the page the error is gone (most of the times)
The page at about:blank displayed insecure content from http://static.ak.facebook.com/connect/xd_arbiter.php?version=18#cb=f2e4fe7b…os.com%2Ff4aeadb2&domain=www.mydomain.com&relation=parent&error=unknown_user.
Unsafe JavaScript attempt to access frame with URL http://www.mydomain.com/control/myfacebookapp/ from frame with URL http://static.ak.facebook.com/connect/xd_arbiter.php?version=18#cb=f2e4fe7b…os.com%2Ff4aeadb2&domain=www.mydomain.com&relation=parent&error=unknown_user. The frame requesting access set 'document.domain' to 'facebook.com', but the frame being accessed did not. Both must set 'document.domain' to the same value to allow access.
xd_arbiter.php:18Unsafe JavaScript attempt to access frame with URL http://www.mydomain.com/control/myfacebookapp/ from frame with URL http://static.ak.facebook.com/connect/xd_arbiter.php?version=18#cb=f2e4fe7b…os.com%2Ff4aeadb2&domain=www.mydomain.com&relation=parent&error=unknown_user. The frame requesting access set 'document.domain' to 'facebook.com', but the frame being accessed did not. Both must set 'document.domain' to the same value to allow access. xd_arbiter.php:18
2.When I try the http url(http://apps.facebook.com/myfbappnamespace/), the error shown in console is:
Unsafe JavaScript attempt to access frame with URL http://apps.facebook.com/myfbappnamespace/ from frame with URL https://s-static.ak.facebook.com/connect/xd_arbiter.php?version=18#channel=…Fcontrol%2Ffacebookappchannelurl%3Ffb_xd_fragment%23xd_sig%3Df23e84e85c%26. The frame requesting access has a protocol of 'https', the frame being accessed has a protocol of 'http'. Protocols must match.
Now when I login to my fb account to see what happens with these errors, they are gone, again only sometimes. I know that I am using "most of the times" and "sometimes" here in my query but that is exactly what is happening with me. I have also searched forums and realize that fb has already fixed this old issue which was supposed to be chrome specific. I have made sure that my FB.init and other calls are location.protocol value specific. Also configured correct values in canvas url (http) and secure canvas url (https). Also tried with both the settings: Account Settings -> Security -> Secure Browsing -> (Enabled as well as Disabled)
Can somebody please help if I am missing something somewhere?