Javascript :: Facebook Signed_request Data And Some Security Concearns?

Dec 28, 2011

We've just developed a small Facebook puzzle that people win some gifts from our customer. I'd like to ask a few questions since I'm pretty stuck despite tried lots of things. First I'd like to write what we have and then will explain our problems.oot of application (/) checks for signed_request in POST params, extracts information from it to see if we've registered the logged in user into our database. This checks are also used to understand if the request is sent from Facebook or not to prevent requests coming outside of Facebook. (will write why we want this)Once the application is successfully rendered, Facebook JS API takes place, does its checks and sets the fbsr cookie. We use that cookie information while processing ajax requests to check if the request really belongs to the logged in user (e.g.: scores being sent for a user belong to the logged in user).

We implemented CSRF protection and another protection to check if the requests are POST and more specifically AJAX requests and return 40x if not.nd out that some people seem to take advantage of this bug.One way I thought of is to ignore all requests except coming from Facebook. Since the ajax requests are blocked (cross site) we should have been safe. However this leaded to another problem that, once we redirect users to e.g. leaderboard the signed_request data is lost and our index page returns 40x once the user tries to go back since our application thinks that the user tries to visit our application outside of Facebook.

View 1 Replies


Similar Posts:


Flash :: Facebook Connect And Actionscript - Make All Of The Facebook API Calls Via JavaScript

Jun 1, 2009

I'm trying to determine the practical difference between using the com.facebook.session.WebSession and com.facebook.session.JSSession. The documentation ([URL]) has more around WebSession - but the example I have which is closest to what solution I'm trying to implement uses JSSession and it looks like I could avoid all of the JavaScript pass-through & ExternalInterface calls I'm making. It appears that the benefit of using this new ActionScript Facebook API is to avoid having to make all of the Facebook calls via JavaScript.

View 5 Replies

Php :: Facebook Proxy Loader Security?

May 19, 2011

I'm using a PHP proxy script to load images from Facebook into Flash without any sandbox violations. It is taken from the guide here: [URL].. The relevant PHP code is:

[Code]...

The guide mentions that additional security measures are recommended for a real world application. What additional measures would be applicable to this? Maybe some kind of key passed from Flash to PHP?

I realise that there's nothing I can do to completely protect the Flash from being decompiled, but can I prevent the script from being used maliciously?

View 1 Replies

Javascript :: Flash - Security / Protecting Code In JavaScript?

May 10, 2010

With all the recent hype about JavaScript and HTML5 replacing Flash, I wanted to know - How would it be possible to protect client-side js code? Of course, it is possible to obfuscate it, but that would only make it a little harder. Also, for games which submit high scores to the server, wouldn't it be incredibly easy to modify those scores before they are sent to the server? I know even Flash files can be decompiled, but they can be obfuscated and flash decompilation is not as easy as modifying data in JS - could be done easily using a plugin such as Firebug. I'd like to know everyone's views on this.

View 2 Replies

ActionScript 3.0 :: Facebook - External Interface Security Error

Apr 7, 2010

I am trying to make an external interface call on widgets I am creating to get the domain for in/out of network stats.

[Code]...

From what I am reading an allowscriptaccess needs to be set to always, which I can't do because there isn't embed code that is sent to Facebook during a share so I don't have control over that.

View 1 Replies

Actionscript 3 :: Getting Actual Facebook And Twitter Profile Image URLS For Flex Security Policy?

Oct 25, 2011

I'm trying to display the profile images from both facebook and twitter. For facebook, the URLs I'm receiving are something like this (not actual urls):[URL]... Which is then redirected to the 'actual' url like this:[URL].. I'm also doing this with twitter, with the same issue (redirected url).

So, when I load the image, it loads fine. But when I close the container that the image is in, then I get the security sandbox violation. I can get this all to work if I add the URL from the 'actual' image url like this:

[Code]..

View 1 Replies

Javascript :: Calling With Security Exception?

Mar 14, 2010

I have a swf hosted at domain A, and I have a html at domain B My swf is able to be loaded from accessing the html at domain B. However, the swf gets a SecurityError: Error #2060: Security sandbox violation:

[Code]...

View 1 Replies

Javascript :: Graphs In A Facebook App?

Nov 14, 2009

I've been messing around a bit with a Facebook application for a while now, which is using FBML. A need has arisen to integrate graphs to display data. From what I can tell my options would be one of the following:

Find a Flash Graph that doesn't require a JavaScript library to work Convert the application to an IFrame application, and hope that Facebook wont break the Graph JavaScript Generate the graph serverside with GD or ImageMagick I would preferably not go with option 3, due to how boring generated graphs look, and serverside load.

Does anyone have any opinions or suggestions on how I would best solve this?

View 2 Replies

Javascript :: Interact With Facebook, Using The SDK?

Feb 17, 2012

I'm triyng to use the Facebook AS3 API but it's actually inconsistent. Frustrating.I'm thinking to use the Javascript SDK, from an Flash/AS3 based app, using the ExternalInterface object, and the addCallback method...

View 1 Replies

Javascript :: Looking For Resources To Explain A Security Risk?

Jun 18, 2010

I've a developer which has given users the ability to download a zip archive which contains an html document which references a relative javascript file and flash document.The flash document accepts as one of it's parameters a url which is embedded in the html document. I believe that this archive is meant to be used as a means to transfer an advertisement to someone who would use the source to display the ad on their site, however the end user appears to want to view it locally.When one opens the html document the flash document is presented and when the user clicks on the flash document it redirects to this embedded url. However, if one extracts the archive on the desktop and opens the html document in a browser and clicks the flash object, nothing observable happens, they will not be redirected to the external url.

I believe this is a security risk because one is transferring from the local computer zone to an external zone.I'm trying to determine the best way to explain this security risk in the simplest of terms to a very end user. They simply believe it's "broken" when it's not broken, they're being protected from a known vulnerability.The developer attempted to explain how to copy the files to a local iis instance, which I highly doubt is running on the users machine, and I do not consider this to be a viable explanation.

View 2 Replies

Using Facebook Fanbox (javascript) With Flash

Mar 19, 2010

Has anyone successfully included the facebook fanbox in a flash website? I just do basic stuff on the side and I have created a flash website for my buddys company. He wants to incorporate the facebook fanbox into one of the pages. Facebook has a code generator that outputs something like this:

<script src="http://static.ak.connect.facebook.com/js/api_lib/v0.4/FeatureLoader.js.php/en_US" type="text/javascript"></script>
<script type="text/javascript">FB.init("API_KEY", "");</script>
<fb:fan profile_id="YOUR_PAGE_ID" stream="1" connections="10" width="300"></fb:fan>
<div style="font-size:8px; padding-left:10px"><a href="VANITY_URL">PAGE_NAME</a> on Facebook</div>

Is there a way to incorporate this into flash? The other option they have is iFrames. I have never heard of this, but it looks like this:

[Code]....

View 2 Replies

Javascript :: Facebook Flash App Cannot Communicate

Nov 27, 2010

My index.php file loads the Facebook JavaScript SDK and the FBJS bridge:[code]When I run this file on my server, I can communicate with Facebooks JavaScript SDK either indirectly through ExternalInterface calls, launching various Facebook UI dialogs etc. And I can also use the facebook-actionscript-api to launch the same dialogs directly from ActionScript.When I however use this index file as my Facebook canvas url and load the swf in a Facebook iFrame, the communication crashes the application. I'm not sure how to debug this but I think it might have to do with crossdomain security. Any ideas on debugging and/or solutions are welcome.

View 3 Replies

Javascript :: Post A Slideshow In Facebook?

Jul 24, 2011

Is it possible to post a slideshow in your facebook newsfeed only using HTML/Javascript/CSS ?I think it is possible to post a slideshow using flash. But I'm hearing that FB is in the process of depreciating FBML, will this affect flash content too?

View 1 Replies

Javascript :: Why Isn't Facebook App Publicly Visible

Nov 13, 2011

I have completed my Facebook application yesterday and users can't see it in Facebook search nor direct link. It just shows "page not found", so how to publish my application and make it public for all Facebook users?

P.S. : its working good with me and I can see it in Dunes Lounge and in developers app also.

View 1 Replies

Flex :: Facebook API Javascript Not Defined?

Nov 16, 2011

I have a flex app using the facebook js bridge to log in, and I am trying to pass the users name back to the app, but I am coming across the thing that I will explain after the code:

function getFriends() {
var nameOfPlayer = "";
FB.api('/me', function(response) {

[code].....

View 2 Replies

Javascript :: Facebook - Get Root Page Url?

Dec 2, 2011

i am developing facebook application, and i need to get the facebook root page url not iframe, all these methods: document.location,window.location and top.location... return the iframe url ( my hosting server ) not facebook url.

View 1 Replies

JavaScript :: Flash Security Sandbox - Call To Different Site

Nov 4, 2010

I mixed a.com and b.com in my original post, I'll try to rephrase stuff correctly:

A HTML page is loaded from a.com
The HTML embeds a Flash client from b.com
HTML contains a Javascript function that makes a connection to a.com, ie the origin of the HTML, not the origin of Flash
The Flash calls that Javascript function

Question: Do I need to have a crossdomain.xml in a.com?

View 2 Replies

JavaScript :: Upload ByteArray Image On Facebook With SDK

Apr 14, 2012

I'm trying to upload a photo on Facebook using Javascript SDK. In particular I generate a base64 encoded bytearray from my Actionscript3 app, I pass it to Javascript file using ExternalInterface, and from that I decode the bytearray and I try to upload to FB. But it give me this error:
{"error":{"message":"(#324) Requires upload file","type":"OAuthException","code":324}}

I tried to upload an image simply from url, and in that way it goes well! This is my Javascript code:
upPhoto:function(photo) {
var img = F.decode_base64(photo);
FB.api('/me/photos', 'post', {
message:'test',
fileName:'test',
[Code] .....

View 1 Replies

JavaScript :: Friends Invite For Facebook HTML

Oct 23, 2010

How can I add in my facebook application invite friends. First of all I use actionscript, in order to handle invite issue I searched so many sites but I've got nothing, cuz facebook doesn't support invite actions. then I learnt that javascprit can handle this, however I couldn't find anything valuable about that

View 1 Replies

Javascript :: Adding A Widget In Facebook Wall?

Feb 6, 2011

How do I add a widget to Facebook wall? So when a user clicks on wall post, it gets opened there only, like YouTube video/audio.

It's certainly possible, as Slideshare app [URL] does it.

And, I see that it's a Flash component. I have an iframe (Javascript/html) widget.

View 1 Replies

Javascript :: Facebook App Inside Users Wall?

Mar 19, 2012

Is posible to build a site like youtube, that when is shared in facebook users can run the app (in this case the video player) in the user wall without enter to the youtube page. if is posible, this is only for videos?... can i get an interactive app, like a game do the same. this can be only achieved using flash? or there is any way to do it using HTML5?

View 1 Replies

Javascript :: SecurityError: Error #2060: Security Sandbox Violation

Feb 5, 2010

I'm trying to access a swf function from javascript using External Interface given by adobe and I get the following error.

SecurityError: Error #2060: Security sandbox violation: ExternalInterface caller http://media.varheroes.com/flash/flashtest.swf cannot access http://apps.facebook.com/feline-frenzy/flashtest/.
at flash.external::ExternalInterface$/_initJS()
at flash.external::ExternalInterface$/addCallback()
at flashtest_fla::MainTimeline/frame1()

View 2 Replies

ActionScript 3.0 :: What Is The Difference Between The Facebook Session Returned From The Javascript Api

Feb 6, 2011

I'm having a hard time understanding the logic here.... What is the difference between the facebook session returned from the javascript api as opposed to the one retrieved from AS3 Facebook api when your application is in facebook. I ask this because When I login via invoked via pure javascript or already logged in the permissions are sent to me as well however AS3's FacebookSession.availablePermissions continues to be an empty array Login invoked via flash will however return the availablePermissions Whats the difference in login invocations?

View 5 Replies

Javascript :: Loading Facebook ActionScript Library In A HTML Adobe AIR App?

Mar 8, 2010

I'm writing an Adobe AIR app using plain HTML which needs to upload photos to Facebook. I don't think Facebook's JavaScript/Connect library includes photo uploading functionality, but their ActionScript library does. However, I'm having trouble loading the ActionScript library into the HTML page.

Adobe's documentation describes the process of loading ActionScript libraries into HTML AIR apps, which I tried using the compiled Flash library available here (specifically, Facebook_library_with_AIRConnect_v3.4_flash.swc). So my page looks something like:

<html>
<head>
<title>Hello World</title>

[code]....

Is the compiled library file I used the wrong one (do I need a .swf instead of a .swc)?If so, do I need to create my own compiled library somehow from the ActionScript source?Is the namespace I'm using incorrect? (in addition to com.facebook.Facebook() I tried .Facebook(), .fb.Facebook(), .facebook.Facebook(), etc)Should I just give up and try to learn Flex instead?

View 1 Replies

Javascript :: Track Events Of Video Embedded Into A Facebook Wall?

Feb 20, 2012

My mission is to embed a video (custom player) into a facebook wall and track the users events (play count etc.), also gather other relevant data. I was wondering is this at all possible, if so, can you comment on that briefly?

View 1 Replies

Javascript :: Facebook Sdk Login Dialog Blocked When Invoked From Flash?

Feb 27, 2012

I have a SWF file that calls some javascript which shows the facebook login dialog via the javascript sdk.this all works fine, except for that fact that pop-up blockers block the login dialog, as it isnt invoked from a user action, but from flash.

View 1 Replies

Javascript :: Creating A Persistent Life Counter For A Facebook Game

Mar 20, 2012

i am currently working on a facebook game and i have a problem concerning the integration of a life counter which regenerates over time for a facebook game. The game is a simple Flash/AS3 shooter in which users are competing for the highest score. For monetary reasons every game costs one life and users should only be able to start a new game, if said life counter is >=1. To clear things up, i submitted a link to Popcap's facebook game "Zuma Blitz": ZUMA Blitz I can think of a few ways to do this, but i don't know which is the best/easiest approach. Would it be best to:

[Code]....

View 2 Replies

Flash :: Adobe Facebook API Facebook.login VS Facebook.ui Popups?

Oct 24, 2010

I'm currently building an application using the Adobe Facebook API and I've run into an issue where for the login method the Facebook login popup displays but when doing a Facebook share/post the popup is blocked.

This code works fine and displays me a Facebook login popup without question (Firefox):

var permissions:Array = ['publish_stream'];

Facebook.login( onFacebookLogin, { perms:permissions.join(',') } );

However, the following code running in the same application throws up a popup blocker (again Firefox):

Facebook.ui( "stream.publish", "popup", params );

Does anyone know of a work around this issue to make the share popup come up just like the login popup?

View 2 Replies

Javascript :: Facebook Game Development / University Project / Front End Woes

Dec 8, 2011

I have been requested to make a port of an iOS game for Facebook.The game itself is fairly simple, it is a puzzle game using a 2d array for a grid with XML passed from a server for loading objects onto the the grid, to create levels.The game will ask questions at stages which will be passed to my server and stored for research purposes.Some questions for those with experience.What front-end options do I have with Facebook? I have looked into both Flash and HTML5/js both of which i have little to no experience in (I'm experienced in Java/C#/Ruby + Rails).Javascript seems like a nightmare from what I have read, even looking into javascript game engines, but at least it is free. My backend will most likely be rails for handling server logic.Summary(because I ramble too much)

-Is javascript for programming games really a problem for simple games on Facebook?

-Are js game engines worth using? Does anyone have any experience with them?

-Would prevention of cheating be possible with a js/rails game, do server side checks work?

-Are there any alternatives for a front end for someone with C#/Java/Ruby background?I've never seen any Unity or Java apps on Facebook(I don't use it much) and I don't know if the licensing will be an issue for this research project.

View 1 Replies

Flash :: Javascript - Make A Console Plugin To Interact With Facebook Games Or Other Apps

Feb 5, 2011

I'm playing a flash game on facebook. I know I can decompile it to find out all the commands and would like to make scripts to automate the game by calling procedures in the actionscript of the game. So I guess I would like to make a plugin also that would insert this console into any flash app and this would be handy for a lot of things. Then if anyone wants to hack a new game, u just decompile it and make a handbook of methods for people to make scripts with. So how would I go about making this console? I don't know if I could make a swf interact with the game or if it has to be compiled into the game's swf. Or if it is easier with javascript, that is cool too. maybe we can make a javascript library just for this. anyone can tell me more?

View 2 Replies







Copyrights 2005-15 www.BigResource.com, All rights reserved