Security issues with custom tabs on Facebook using iframes

 The new facebook method for creating custom tabs has a serious flaw: Users who have their account settings set to force fb to use SSL get errors when the iframed page is not using an https site (and most are not). This is noticeable in Chrome and Safari.  Here is the problem…

Facebook CEO Mark Zuckerberg had his own account hacked into, so they added an option in the account setting that lets users use Facebook using SSL (secure sockets layer), which can be visually detected with the https prefix instead of http.

On March 11, Facebook depricated the use of FBML (Facebook Markup Language) and began using iframes. This makes it more difficult for your average Facebook user to setup a custom tab on their business page, as there are more steps involved. But now you can do anything on your custom tab that you want. Because the page actually resides elsewhere, you can use Flash, videos, and any type of database programming desired. This is a real plus for business pages. But…

If the user has set up his security setting as shown above, they may get an error like this:

This seems to be the case when using Safari as a browser as well. Or, the page simply may not display (when using Firefox). The reason is that Facebook is using a SSL connection, but the iframed page is not. If your external page is also using a SSL connection, the framed content appears correctly. Of course, hardly any external pages are set up to use SSL, so your Facebook visitors only see an error, and think you are incompetent.

Users who do not have their Facebook setting to use SSL, and visit a tab that does use SSL, appear to be OK (although I’d like feedback on that). So the work-around is to use SSL for any custom designed tab. Facebook needs to resolve this issue, but until they do, set-up your custom tabs on a secure server. If you don’t have a secure server, there is not a solution.

WebStores Ltd builds custom Facebook fan pages as one of its services, including the ability to display different content to users who have “Liked” your page versus those have not. Visit or call toll free 877-924-1414 for more information.

3 thoughts on “Security issues with custom tabs on Facebook using iframes

  • I just did a test to make sure I wasn't out of line: I created a page that contained an iframe pointing to a non-secure page on a different server. I then viewed this page over a secure connection – it works correctly outside of Facebook (even in Chrome), so the problem is definitely a Facebook design flaw.

  • Facebook is certainly an interesting and challenging platform to develop for. As of today, they have now changed this so that if you are on a secure connection, non-secure custom tabs simply don't show up! I guess that is their "solution" to this issue – just hide the company's custom tab. If only the wall displays, the user may not no any better (of course your custom content is invisible).

  • As of last night, Facebook added two new fields to their application settings, designed to accommodate secure versus non-secure servers. While still a design flaw, we now have a functioning work-around.

Comments are closed.