DEVHIDE
Login Or Sign up

'Refused to display in frame.' Facebook Oauth dialog

281 Views Asked by At

I'm having some trouble authenticating users for my app. During the authentication process I get the following error:

Refused to display 'https://www.facebook.com/dialog/oauth?response_type=code&client_id=xxxxxxxx…%2Fliketodownload.xx-xxxx.com%2Fauth%2Ffacebook%2Fcallback&scope=email' in a frame because it set 'X-Frame-Options' to 'DENY'.

I think it's to do with the authentication trying to redirected to an invalid target and that's why it's getting blocked. But with Ruby and Sinatra I am unsure of how to overcome this.

Many thanks.

UPDATE

I'm not redirecting to views, of which the auth and add to page dialogs are trigged into new targets via html. Now I'm trying to figure out the logic of which to auth and redirect users appropriately.

Code below:

  post '/' do
  if current_user
      signed_request = FBGraph::Canvas.parse_signed_request(APP_SECRET, params[:signed_request])
      if signed_request["page"] != nil
        is_admin = signed_request["page"]["admin"]
        is_liked = signed_request["page"]["liked"]
        if is_admin #if admin, see if existing user is in db, if not create, then send to admin page
          puts "user is a page admin" #logging for dev
          redirect '/index'
        elsif is_liked #if liked send to download end point
          puts "user has liked page" #logging for dev purposes
          redirect '/main/#/liked'
        elsif !is_liked #otherwise make them like the page
          puts "user has not liked" #logging for dev purposes
          redirect '/main/#/notliked'
        end
      else
        redirect '/addtopage/#/addtopageview'
      end
  elsif $auth1 && !current_user
    puts "post / add to page view reached"
    User.first_or_create({:uid => $auth1["uid"]}, {
        :uid => $auth1["uid"],
        :nickname => $auth1["info"]["nickname"],
        :name => $auth1["info"]["name"],
        :email_address => $auth1["info"]["email"],
        :created_at => Time.now})
    redirect '/addtopage/#/addtopageview'
  else
    # we just redirect to /auth/facebook here which will parse the @signed_request FB sends us, asking for auth if the user has not already granted access, or simply moving straight to the callback where they have already granted access.
    puts "post / auth me reached"
    redirect '/addtopage/#/authme'
  end

end

get '/auth/:provider/callback' do
  content_type 'application/json'
  response.set_cookie 'test', {:value => "facebook_callback", :path => "/"}
  JSON.generate(request.env)
  auth = request.env["omniauth.auth"]
  $auth1 = auth
  #need escape here to allow user to initially authorise app without the full @signed_request?
  session['fb_auth'] = auth
  session['fb_token'] = cookies[:fb_token] = auth['credentials']['token']
  session['fb_error'] = nil
  if params[:signed_request] != nil #if the signed request isn't empty
    signed_request = FBGraph::Canvas.parse_signed_request(APP_SECRET, params[:signed_request])
    if signed_request["page"] != nil #if the signed request contains page data
      $page_id = signed_request["page"]["id"]
      is_admin = signed_request["page"]["admin"]
      is_liked = signed_request["page"]["liked"]
      if is_admin #if admin, see if existing user is in db, if not create, then send to admin page
        puts "user is a page admin" #logging for dev
        User.first_or_create({:uid => auth["uid"]}, {
            :uid => auth["uid"],
            :nickname => auth["info"]["nickname"],
            :name => auth["info"]["name"],
            :email_address => auth["info"]["email"],
            :created_at => Time.now})
                                    #insert page_id into database?
        redirect '/index'
      elsif is_liked #if liked send to download end point
        puts "user has liked page" #logging for dev purposes
        redirect '/main/#/liked'
      elsif !is_liked #otherwise make them like the page
        puts "user has not liked" #logging for dev purposes
        redirect '/main/#/notliked'
      end
    else #user authed app but needs to add to page
      puts "add to page view"
      redirect '/addtopage/#/addtopageview'
    end
  else
    #needs to redirect to a page telling them that they must be on facebook or that they must authorise the application
    redirect '/index'
  end
end

helpers do
  def current_user
    @current_user ||= User.get(session[:user_id]) if session[:user_id]
  end
end
ruby facebook oauth sinatra facebook-oauth
Original Q&A
1

There are 1 best solutions below

1
On

Facebook domains can not be iframed except for the socials plugins, Why?

for security reasons, for example let's say you're logged into Your Facebook account and I have http://example.com/xss.html which has an iframe of http://facebook.com in this way I can steal or hi-jack sensitive information from your account like fb_dtsg token, same thing for oAuth Dialogs I can set my iframe source to to it and steal Your access_token :)

I hope it's clear enough why Facebook uses 

header('X-Frame-Options: DENY');

Related Questions in RUBY

Related Questions in FACEBOOK

Related Questions in OAUTH

Related Questions in SINATRA

Related Questions in FACEBOOK-OAUTH

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.