• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Service issue Register via Facebook broke in canvas..

Mike Edge

Well-known member
#1
Trying to login or create an account inside of Facebook canvas broke again in upgrading to 1.4.4. Returning back to site produces a white page with no further errors. This worked with 1.4.3 and $config['enableClickjackingProtection'] = false; is already added to config.php
 

Chris D

XenForo developer
Staff member
#2
We've not explicitly made any changes there.

Do you have a way of testing this on a different set up?

White pages are usually suppressed server errors. If you add to config.php:

Code:
ini_set('display_errors', true);
And try again do you get any more info?
 

Mike Edge

Well-known member
#3
Still just a blank page, same with viewing source. Oddly I found if you right click the login with facebook and open in new tab it opens the page to create an account. Can I PM you my canvas URL @Chris D to take a closer look?
 

Mike Edge

Well-known member
#4
Using now as a temp fix
Code:
  <li><a href="{xen:link register/facebook, '', 'reg=1'}" class="fbLogin" tabindex="110" target="_blank"><span>{xen:phrase login_with_facebook}</span></a></li>
Though foricing a new tab on someone is a bit intrusive imo.. So hopefully we can get this resolved soon.
 

Chris D

XenForo developer
Staff member
#6
This is logged in the browser console:
Code:
Refused to display 'https://www.facebook.com/dialog/oauth?client_id=123&scope=publi…123&redirect_uri=<YOUR URL>' in a frame because it set 'X-Frame-Options' to 'DENY'.
(I have redacted any potentially private identifiers).

I don't get any sort of blank page, though.
 

Mike Edge

Well-known member
#7
This is logged in the browser console:
Code:
Refused to display 'https://www.facebook.com/dialog/oauth?client_id=123&scope=publi…123&redirect_uri=<YOUR URL>' in a frame because it set 'X-Frame-Options' to 'DENY'.
(I have redacted any potentially private identifiers).

I don't get any sort of blank page, though.

hmmm I have $config['enableClickjackingProtection'] = false; so wonder why it is setting to deny and more so, why this changed in 1.4.4
 

Chris D

XenForo developer
Staff member
#8
It hasn't changed in XF 1.4.4 (from a code perspective).

We don't actually set DENY as a value anywhere. DENY is coming from your server somewhere (or certainly not from XF at least).

Could you remove the clickjackprotection line from your config.php and let me have another look?
 

Mike

XenForo developer
Staff member
#10
Unfortunately, the page being loaded into the iframe is a Facebook page and Facebook is sending the header. The only way to workaround this would be to break out of the iframe. There's nothing that we can do at this time (changing the FB integration approach may solve it but that's not a feasible change currently).
 

Chris D

XenForo developer
Staff member
#11
I see, that's what causes the page to go white, then.

Yeah the DENY thing isn't coming from XF.

If you look at the previous error, and compare it to this one now that click jacking is enabled:
Code:
 Refused to display 'https://YOUR-URL.com/' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.
The previous message, it's actually a Facebook URL which is sending the DENY header. As you'll see from the most recent error, now clickjack protection is re-enabled, it's your URL that is sending a header (the correct one for clickjack protection being enabled).

So doing a little bit more digging, actually, Facebook have changed something so that the oauth dialog cannot be opened within an iframe. Therefore, at the moment, opening it in a new tab is all FB will allow you to do.
 

Mike Edge

Well-known member
#12
Unfortunately, the page being loaded into the iframe is a Facebook page and Facebook is sending the header. The only way to workaround this would be to break out of the iframe. There's nothing that we can do at this time (changing the FB integration approach may solve it but that's not a feasible change currently).
so opening in a new tab is about the only feasible solution at this point @Mike ?
 

Mike Edge

Well-known member
#13
I see, that's what causes the page to go white, then.

Yeah the DENY thing isn't coming from XF.

If you look at the previous error, and compare it to this one now that click jacking is enabled:
Code:
 Refused to display 'https://YOUR-URL.com/' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.
The previous message, it's actually a Facebook URL which is sending the DENY header. As you'll see from the most recent error, now clickjack protection is re-enabled, it's your URL that is sending a header (the correct one for clickjack protection being enabled).

So doing a little bit more digging, actually, Facebook have changed something so that the oauth dialog cannot be opened within an iframe. Therefore, at the moment, opening it in a new tab is all FB will allow you to do.

Thanks Chris, I wonder if it's new for prep of the new oAuth coming out.