

Ask HN: Facebook iFrame authentication in Safari? Please help. - EGreg

This is a question for anyone who's ever made an iFrame app in facebook, or a 3rd party widget that would run in a website (I'm doing the latter).<p>How can I authenticate with facebook? It seems that the fbs_&#60;app_id&#62; cookie isn't being set when I'm on Safari, because the iframe is showing my widget which is on another domain.<p>I heard that submitting a form with target="_self" might cause Safari to treat my domain as "visited" and then the cookies would be set. It seems to work. However, the fbs_&#60;app_id&#62; cookie is STILL not being set after the whole facebook authentication popup is done. Does anyone know why? Please help me figure out how to actually auth with facebook when I'm in an iframe!
======
cd34
response.headers['P3P'] = 'CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi
CONi HIS OUR IND CNT"'

~~~
EGreg
this works for IE, but what about safari?

~~~
cd34
That was taken right out of an IFrame canvas app that I just retested in
Safari - both a new app install, and revisiting an app after 2+ hours for the
default token to have expired.

~~~
EGreg
In my case, the fbs_APPID cookie isn't being set

instead I get this: <http://grab.by/8rmQ>

does anyone know why these cookies are being set? the PHP library doesn't seem
to work with those.

~~~
cd34
two possibilities. Clock on the machine set correct? the appid cookie has a
short 3600 second expiration, which means if your timezone is off, or you
aren't taking into account Daylight Savings Time, the cookie will expire
before it is set.

The other possibility is that the API you're using isn't using the Javascript
SDK get_facebook_cookie which initializes the session through FB.Init and
parses the data passed to it and sets the cookie locally.

Are you calling the Javascript SDK? I haven't used the PHP Library in quite
some time, but, it is possible that you're using a library that is written for
the older FBML rather than the IFrame canvas.

Are you able to run liveheaders to see what is actually being sent? or some
other network capture tool?

~~~
EGreg
Here is what I am doing. I am calling FB.init and FB.login , after a click so
that the popup window shows up.

You can see it live here: <http://qbix.com>

Now, if you go and put it in an iframe (try it with jsfiddle.com or
something), then in every browser except Safari and IE, it works: the popup
shows up, and after I click Allow, the fbs_ cookie gets placed.

In IE, I think I can easily make it work by sending a cool P3P header so IE
can save cookies.

In Safari, I can make cookes be saved by first posting into that frame. In
your jsfiddle or page or whatever, make a form with method="post" and
target="thatframename" and then submit() that form using javascript. Now the
cookies should be set for my domain, right?

Yes, but now open up the Developer console on safari, and click "Storage".
Watch what gets saved. A bunch of weird cookies by facebook. On every other
browser, the fbs_ cookie gets saved but here we get a bunch of weird cookies.
Why? How can I get the fbs_ cookie saved so I can make calls to my server and
have the user authenticated properly? See what I mean?

