Facebook Secure Browsing : The SSL Certificate
One of the big developments in the March 2011 Facebook Page overhaul was support for iFrames in Fan Page custom tabs. Until then, iFrames were only allowed on canvas pages and, even there, required the user to click an image or text to “activate” (load) the iFramed content.
As iFrame app will contain content from your own website, the security certificate level of your webpage can affect whether your iFrame app content will or will not be displayed on Facebook.
Why are security levels important?
In general, you can differentiate between three types of security certificate levels:
1. When a user visits a page served over http, their connection is open for eavesdropping and man-in-the-middle (MITM) attacks.
2. On a page served over https, the user’s connection with the web server is authenticated and encrypted with SSL and hence safeguarded from eavesdroppers and MITM attacks.
3. An HTTPS page that includes HTTP content is called “Mixed Content”. This means that the (unencrypted) HTTP portion can be read or modified by attackers, even though the main page is served over HTTP.
How do security levels affect the visibility of my iFrame?
So-called Mixed Content Blockers blocks certain HTTP requests on HTTPS pages.
Some browsers, such as Firefox and also Google Chrome, will by default block the content of your iFrame app, if the content source is not perceived as secure enough.
How does this might look in practice?
The example here shows an iFrame with blocked mixed content in Firefox browser.
Users, who encounter this issue, must allow the browser to view the un-certified content manually, by clicking on the ‘shield’ icon.
The process for enabling mixed content in Google Chrome is quite identical to that in Mozilla Firefox.
How can I as a creator of my iFrame app avoid this issue?
When you create an iFrame app, please note whether the page providing content for your application is encrypted (https) or not (http).
Get the certificate
If the situation is the latter, one of the ways how to ensure that users will not experience blocked content is to get the https certificate. In most cases your server-provider will have a solution for you, so the way is to contact your provider and ask for assistance in that matter.