• This forum is for release discussion only. Discussions that do not relate specifically to the resource release should be discussed in another, more appropriate forum.
  • This forum has been archived. New threads and replies may not be made. All add-ons/resources that are active should be migrated to the Resource Manager. See this thread for more information.

Important Facebook Change

Mike Edge

Well-known member
For October 1st, you need to connect to FB over a secure connection.

Go into fb_channel.php and change the bottom line to..

<script src="https://connect.facebook.net/<?php echo htmlspecialchars($locale); ?>/all.js"></script>

In template account_facebook

change both facebook urls to https:// instead of the current http://

In page_container change line 2 to:

<html id="XenForo" lang="{$visitorLanguage.language_code}" class="Public {xen:if {$visitor.user_id}, 'LoggedIn', 'LoggedOut'} {xen:if {$sidebar}, 'Sidebar', 'NoSidebar'}" xmlns:fb="https://www.facebook.com/2008/fbml">

Also you will need to have SSL for your site or FB connect will fail auth.
 

ChemicalKicks

Well-known member
I propose everyone ditches facebook integration, do you really want your users getting SSL nags about insecure content getting displayed on your forum all for a couple of "likes/recommends"?
 

ChemicalKicks

Well-known member
How would you get past the mixed content nags?

I'm probably being extreme but I'm just not playing with facebook anymore.
 

Kier

XenForo developer
Staff member
If your using the changes above, there should be no nagging for secure connections.
I've found reference to the deprecation of old connection methods and a migration to Oath 2 (which we already use in XenForo) but I have found absolutely no reference to a mandated SSL request. The most recent Facebook developer blogs don't mention it, and all the code examples on the Facebook developer site still use the http:// method.
 

Kier

XenForo developer
Staff member
Correct, Also Kier if you join https://www.facebook.com/groups/fbdevelopers/ you can indeed confirm auth connections via http will result in a 301 error page. I haven't found docs confirming this. But it is coming first hand from FB staff in the group that it will.
I'll see what I can find, but from the docs that are there, it appears to be referring to canvas apps, rather than website interaction plug-ins and tools such as used by XenForo.
 

Crazy-Achmet

Well-known member
Yeah, the SSL will be required for canvas apps (for pages)! ;) So Facebook Connect will still work without an "secure connection"
 

Mike Edge

Well-known member
It has been confirmed though that all calls to all.js will need to be changed to https://connect.facebook.net

The impression the developer group has is that it will be required to use SSL as they are considering the connect button to be a tab. I messaged Cat Lee who is the Program Manager for 3rd party developer relations at FB to clearify. I'll update once I hear back.
 

Crazy-Achmet

Well-known member
I really don't think so but you can proof me wrong.

If that's really true, at least 90% of the sites would go without facebook (connect) instead of using SSL.
 

Mike Edge

Well-known member
I really don't think so but you can proof me wrong.

If that's really true, at least 90% of the sites would go without facebook (connect) instead of using SSL.
I have a SSL cert, so not really worried either way. I think FB though is more concerned with securing their platform over breaking small 3rd party sites using FB connect. A lot of the older FBML apps that will be broken come Oct 1st proves that.

Great Kier, be great to get official word on this.
 

robdog

Well-known member
Sweet! I mean I would of bought the multi-site cert, but I am pretty happy I do not have to deal with that now! :)
 
Top