Any calls I make to FB.ui are not followed by any action. On Chrome, if the 'display' property is set to 'iframe' or 'dialog', the following error is triggered:
Blocked a frame with origin "https://www.facebook.com" from accessing a frame with origin "http://my.domain.com". The frame requesting access has a protocol of "https", the frame being accessed has a protocol of "http". Protocols must match.
Neither Firefox nor IE show anything in the console, however nothing happens either. Therefore, I'm not too sure whether this is an actual XSS issue. For the record, the entire website is running on HTTP and I haven't explicitly specified any HTTPS query.
The source code follows:
window.fbAsyncInit = function() {
FB.init({
appId : XXXXXXXXX,
status : true,
cookie : true,
});
FB.Event.subscribe('auth.logout', function(response) {
window.location.reload();
});
window.selectedFacebookFriends = [YYYYYYYYY];
window.inviteFacebookFriends = function() {
FB.getLoginStatus(function(response) {
if (response.status === 'connected') {
to = window.selectedFacebookFriends.join(',');
FB.ui({
method: 'apprequests',
message: 'Join ZZZZZZZZZ, it\'s cool there!',
to: to
}, function(response) {});
}
});
}
};
// Load the SDK asynchronously
(function(d, s, id) {
var js, fjs = d.getElementsByTagName(s)[0];
if (d.getElementById(id)) {return;}
js = d.createElement(s); js.id = id;
js.src = "//connect.facebook.net/en_US/all.js";
fjs.parentNode.insertBefore(js, fjs);
}(document, 'script', 'facebook-jssdk'));
I tried with plenty of other methods for FB.ui, and changed all the parameters, calling it directly from the console, but this didn't help.
Facebook login works perfectly, as well as all the graph requests I've tried using FB.api. The issue seems to lie in FB.ui or its implementation.
I have found quite a few similar issues on this website but none of the solutions I came across have solved the issue.
Thank you in advance for your kind help and do not hesitate if I forgot any relevant information.
If you are wanting a popup dialog, and running into this problem, make sure to explicitly specify
display: 'popup'
in fb.ui.