My app has so far lived “unsecured” - meaning no redirection to https:// by default. This has worked fine in conjunction with the accounts-facebook package, which creates its own SSL enabled connection to Facebook when doing its OAuth magic.
My problems started when I tried acessing my site using https instead of http. The pop-up window halts quickly and by reading its console output I can see the following message
Uncaught SecurityError: Blocked a frame with origin "http://wishlist-foobar.meteor.com" from accessing a frame with origin "https://wishlist-foobar.meteor.com". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "https". Protocols must match.
I thought this might have something to do with the site url in the app’s facebook settings, but changing the http to https in that setting got me nowhere. Still got the same message. How is this supposed to work? I am not hardcoding the http part of the path anywhere except the facebook settings, so this seems to be something the accounts-facebook package is doing.
This is my app settings on Facebook. Observe the non-SSL site url. I am not allowed to put images in my post as a new user, but if I could, they would be found on this page: http://i58.tinypic.com/2ypntdu.png