Web App in Facebook Canvas / X-Frame-Options Deny Case [duplicate]

问题

This question already has answers here:

Facebook App Error forbidden by X-Frame-Options (2 answers)

Closed 4 years ago.

I know there are several entries related to the topic I mentioned, but after I checked most of them I couldn't find the a similar case that I encountered.

I am implementing a simple web application using Spring MVC framework. The web application itself is working OK. Then I tried to defined some parts of the application as a Facebook application in which certain jsp's will be displayed in Facebook's canvas.

In the Spring's Controller part related to the Facebook application definition - through secure canvas url defined in Facebook app admin page -, I checked the received POST message from the Facebook for the "signed_request" parameter, if it does not include "oauth_token" value, then I try to redirect to Facebook authentication flow as:

redirect:https://www.facebook.com/dialog/oauth?client_id=#1&redirect_uri=#2

(#1 is placeholder for my app's id, and #2 is placeholder for the url that I want Facebook redirect after a successfull authentication, an url related to my own web application)

In my current situation, what I observe is I opened the Facebook page that the application presented, got an HTTP POST via Facebook, returned the redirect to Facebook side, the browser that makes an HTTP GET request with url as

https://www.facebook.com/dialog/oauth?client_id=#1&redirect_uri=#2

But after that it receives an error like:

Refused to display 'https://www.facebook.com/dialog/oauth?client_id=......&redirect_uri=.....' in a frame because it set 'X-Frame-Options' to 'DENY'.

I first thought it's my environment that returns the X-Frame-Options header value as DENY, I changed the Spring security configuration but nothing changes.

Then just for try, I defined the redirect_uri as my application's page url in Facebook but nothing changes.

回答1:

I assume you are trying to redirect inside the iframe, and Facebook does not allow their content to be accessed in an iframe. Redirect the top window or (much better) use the JavaScript SDK for login.

More information about the JS SDK:

• https://developers.facebook.com/docs/javascript/quickstart/
• http://www.devils-heaven.com/facebook-javascript-sdk-login/

来源：https://stackoverflow.com/questions/31136108/web-app-in-facebook-canvas-x-frame-options-deny-case