Facebook: Unsafe JavaScript issue (document.domain values should be same)

Question

Mine is a FB App based on canvas. Facing an issue both on Chrome and Firefox, (although usually Chrome):

1.When I hit my approved fb app secure URL on a new incognit

Answer 1

There are a lot of possible issues. Try with one of these solutions:

• protocols must be the same (so the page that attempts to access the iframe must have the same protocol of the site that deliver the iframe), so if you are testing your app in sandbox mode (http instead of https), disable the "Secure browsing" mode of your testing account
• channelUrl on FB.init() (see code below)
• enable the headers mod of apache and put the below lines in your .htaccess
• put the <div id="fb-root"></div> after the body tag as explained in the fb doc here: https://developers.facebook.com/docs/reference/javascript/
• try to put all the automated login code after a user action (like a click on a login button)
• remove the trailing slash from the Canvas URL (in app→settings) like http://yoursite.com?
• edit your <html> tag like this: <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="https://www.facebook.com/2008/fbml">

Code for .htaccess

<IfModule mod_headers.c>
    Header set Access-Control-Allow-Origin "*"
</IfModule>

Code for channels issue:

FB.init({
    appId: '1234567890',
    status: true,
    cookie: true,
    xfbml: true,
    channelUrl : '//yoursite.com/channel.html'
});

The channel.html delivered by your server should contain this single line:

<script src="//connect.facebook.net/en_US/all.js"></script>

EDIT

About your first issue:

The page at about:blank displayed insecure content from http://static.ak.facebook.com/connect/xd_arbiter.php?version=18#cb=f2e4fe7b…os.com%2Ff4aeadb2&domain=www.mydomain.com&relation=parent&error=unknown_user.

This is an expected exception that is used to test for a condition - this has no side effects so don't care about it.

Please refer to this question: Unsafe JavaScript attempt to access frame with URL: Domains, protocols and ports must match.

Answer 2

In my case I had a "facebook-like-box" at "_Layout" view and I had to customize some CSS for it, at the global.css file.

.fb_iframe_widget, .fb_iframe_widget span, .fb_iframe_widget span iframe[style] {
    width: 100% !important;
}

Then, when I tried to load internal pages, such as Articles and News, which has a share button for facebook, it starts to give me this error:

Uncaught SecurityError: Failed to read the 'contentDocument' property from 'HTMLIFrameElement': Blocked a frame with origin "http://localhost:51826" from accessing a frame with origin "http://static.ak.facebook.com". The frame being accessed set "document.domain" to "facebook.com", but the frame requesting access did not. Both must set "document.domain" to the same value to allow access.

Somehow I think that line of CSS code was causing this issue (by being at the global scope), trying to access and modify behavior of the iframe for my share button.

1. Removing that line of CSS code solved the problem.
2. Moving that line of CSS code to the specific page which has the "facebook-like-box" inside < style > tags.