This article if focused on Facebook App Security and Facebook https warning. You may have come across the security warning as shown below if your app requires communication over https. This is due to cross domain content that is being pulled together from various sources and combines to raise the SSL warnings. For example, you have content coming from Facebook, the host of the third party app and also from the host of the content (location). Read on to understand what changed on Facebook’s end and how to resolve Security Warnings. 
Past
- Use Facebook tabs using FBML (Facebook Markup Language), derived from HTML and using FB approved JS and AJAX commands
- Custom app inside standard FBML tab. External data requested by app. Tech limitations – proxied through FB, broke JS, tracking pixels etc
Now
- Support for HTML Iframes (inline frames) as display tech for page tabs
- Supporting this XFBML and JS dev kit – works in FB Iframes and independent web pages
- Can use any JS library, Flash, Silverlight
- Apps such as all those silly games people play on Facebook often use IFrames rather than HTML so they can take advantage of Web technologies such as Flash
- Access Facebook over a secure connection using HTTPS – knee jerk reaction. The highest priority that needs encryption are the session credentials.
- Cannot use a self signed certificate
Security risks
- A FB tab can include JS that performs browser redirection to a malicious website
- If exposing apps as FB tabs using Iframes, need to watch out for any form submissions and other interactions that bypass proxies for example – FB blocking at work case
- Whole thing started by FireSheep – hijack a user session and take over the account because the session data was being transmitted unecrypted and was sniffable over wifi
- Rogue Apps – http://www.readwriteweb.com/archives/how_safe_are_facebook_applications.php
Recommendations
- Do not try to run everything over SSL. This could be expensive solution from cost and performance perspective
- Install an SSL cert on the webserver hosting the app files. Get the SSL cert or your enterprise signed cert that is valid for the domain
- Remove http references to content
- Don’t need SSL certs for every client, but if you get a valid SSL for your domain and host all the content on them, can host multiple client’s iframe(s) content
- Add https references when its known https code. Example: using the jquery from googleapis.com ajax library
- The same applies for any FB connect code over http
- The best way is to use protocol relative URL. Start it with // – ensure content is loaded from the same protocol as the parent page. That way when someone does visit your content via http:// the content you are embedding doesn’t unnecessarily get encrypted.
- Populate the Secure Tab URL field or Secure Canvas URL field in the app