Accounts-facebook fails when the site uses SSL

oligofren · April 8, 2015, 6:51pm

My app has so far lived “unsecured” - meaning no redirection to https:// by default. This has worked fine in conjunction with the accounts-facebook package, which creates its own SSL enabled connection to Facebook when doing its OAuth magic.

My problems started when I tried acessing my site using https instead of http. The pop-up window halts quickly and by reading its console output I can see the following message

Uncaught SecurityError: Blocked a frame with origin "http://wishlist-foobar.meteor.com" from accessing a frame with origin "https://wishlist-foobar.meteor.com".  The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "https". Protocols must match.

I thought this might have something to do with the site url in the app’s facebook settings, but changing the http to https in that setting got me nowhere. Still got the same message. How is this supposed to work? I am not hardcoding the http part of the path anywhere except the facebook settings, so this seems to be something the accounts-facebook package is doing.

This is my app settings on Facebook. Observe the non-SSL site url. I am not allowed to put images in my post as a new user, but if I could, they would be found on this page: http://i58.tinypic.com/2ypntdu.png

loren · June 24, 2015, 3:10pm

Curious to know whether you figured it out? I have the same problem, but in reverse (trying to access http when the site and settings are https), and in Chrome but not Safari: http://bit.ly/1KamkOR

oligofren · June 24, 2015, 4:16pm

Nope, sorry. The way this forum works does not seem too great for gathering top content. Seems like the posts disappear. Try StackOverflow and see how far that gets you, and report back.

My workaround was to force http … which was fine for this small demo app.

oligofren · June 30, 2015, 9:18pm

I finally found a good piece of info. It turns out you need to set the ROOT_URL environment variable for the callbacks to work. See these SO links for more:
Google OAuth
Why is ROOT_URL a required environment variable for bundle deployment?

loren · June 30, 2015, 9:38pm

Thanks, but wasn’t a fix for me – was already setting ROOT_URL. Switching to redirect instead of popup for now.

oligofren · July 1, 2015, 7:57am

I checked out your site now and see that you set “ROOT_URL”:“https://yoursite.io”, so that seems legit … Not seeing that error you talked about in that SO thread though (failing on first attempt).

Hope you find out what was your problem, and do post back here or on that SO question.