• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.
  • This forum is for release discussion only. Discussions that do not relate specifically to the resource release should be discussed in another, more appropriate forum.
  • This forum has been archived. New threads and replies may not be made. All add-ons/resources that are active should be migrated to the Resource Manager. See this thread for more information.

Important Facebook Change

Mike Edge

Well-known member
#1
For October 1st, you need to connect to FB over a secure connection.

Go into fb_channel.php and change the bottom line to..

<script src="https://connect.facebook.net/<?php echo htmlspecialchars($locale); ?>/all.js"></script>

In template account_facebook

change both facebook urls to https:// instead of the current http://

In page_container change line 2 to:

<html id="XenForo" lang="{$visitorLanguage.language_code}" class="Public {xen:if {$visitor.user_id}, 'LoggedIn', 'LoggedOut'} {xen:if {$sidebar}, 'Sidebar', 'NoSidebar'}" xmlns:fb="https://www.facebook.com/2008/fbml">

Also you will need to have SSL for your site or FB connect will fail auth.
 

ChemicalKicks

Well-known member
#2
I propose everyone ditches facebook integration, do you really want your users getting SSL nags about insecure content getting displayed on your forum all for a couple of "likes/recommends"?
 

Kier

XenForo Developer
Staff member
#8
If your using the changes above, there should be no nagging for secure connections.
I've found reference to the deprecation of old connection methods and a migration to Oath 2 (which we already use in XenForo) but I have found absolutely no reference to a mandated SSL request. The most recent Facebook developer blogs don't mention it, and all the code examples on the Facebook developer site still use the http:// method.
 

Kier

XenForo Developer
Staff member
#10
Correct, Also Kier if you join https://www.facebook.com/groups/fbdevelopers/ you can indeed confirm auth connections via http will result in a 301 error page. I haven't found docs confirming this. But it is coming first hand from FB staff in the group that it will.
I'll see what I can find, but from the docs that are there, it appears to be referring to canvas apps, rather than website interaction plug-ins and tools such as used by XenForo.
 

Mike Edge

Well-known member
#13
It has been confirmed though that all calls to all.js will need to be changed to https://connect.facebook.net

The impression the developer group has is that it will be required to use SSL as they are considering the connect button to be a tab. I messaged Cat Lee who is the Program Manager for 3rd party developer relations at FB to clearify. I'll update once I hear back.
 
#14
I really don't think so but you can proof me wrong.

If that's really true, at least 90% of the sites would go without facebook (connect) instead of using SSL.
 

Mike Edge

Well-known member
#16
I really don't think so but you can proof me wrong.

If that's really true, at least 90% of the sites would go without facebook (connect) instead of using SSL.
I have a SSL cert, so not really worried either way. I think FB though is more concerned with securing their platform over breaking small 3rd party sites using FB connect. A lot of the older FBML apps that will be broken come Oct 1st proves that.

Great Kier, be great to get official word on this.