I'm trying to include users profile picture from facebook, which works fine, but the thing is when you want to include it on a SSL-secured page. I can't find a way to get the picture to load from a secure location. Using the following link to the users profile pic:
https://graph.facebook.com/<FB_ID HERE>/picture?type=square
Even though I use https it doesn't get loaded securely (browser says the page is just partially encrypted). And this isn't strange since the link just redirects to the images, for example for my profile picture:
https://graph.facebook.com/Bazze/picture?type=square
This will get the picture from:
http://profile.ak.fbcdn.net/hprofile-ak-snc4/161513_633115680_6792455_q.jpg
Note that that is not a secure location.
Anyone know how to load the profile picture securely through the https protocol?
Thanks!
Add return_ssl_resources=1 to your Graph call:
https://graph.facebook.com/<FB_ID>/picture?type=square&return_ssl_resources=1
This is the proper way to get a SSL-served image; the redirect will be to a https server with a proper SSL certificate.
Update: It appears Facebook will now automatically give you a redirect to https-hosted images when you use https://graph.facebook.com, so the return_ssl_resources parameter is no longer necessary.
Using http://graph.facebook.com still gets you a http-hosted image.
It IS a secure location, it's just not a secure redirect
All you can do is making sure you are using secure request when calling the graph api, after that Facebook will take over the communication and nothing can be done.
Well, https://graph.facebook.com/Bazze/picture?type=square is a 302 redirect to http://.... But note that https://... still works (example).
So it looks like one solution is to parse the 302 yourself, insert the 's' in the appropriate place, then fetch the image. But on the downside, the linked page above has certificate errors, and there isn't a good way to fix that.
(I'm not saying this is a good answer...)
The 302 redirect will have your picture URL as stated in the Open Graph API documentation.
The you need to change from:
/ http profile.ak.fbcdn.net /
to:
/ https fbcdn-profile-a.akamaihd.net /
And from: / http static.ak.fbcdn.net / to: / https s-static.ak.fbcdn.net /
I really think that FB should do that in their API's !!!!
You could proxy it through your own server. Set up a script that fetches the image from Facebook then servers it back to you over SSL.
For Example
<?php
$path=$_GET['path'];
if (stristr($path, "fbcdn.")==FALSE && stristr($path, "facebook.")==FALSE)
{
echo "ERROR";
exit;
}
header("Content-Description: Facebook Proxied File");
header("Content-Type: image");
header("Content-Disposition: attachment; filename=".$path);
#readfile($path);
?>
Taken from
http://www.permadi.com/blog/2010/12/loading-facebook-profile-picture-into-flash-swf-using-open-graph-api/
Accessed via https://yourdomainhere.com/proxy.php?path=URLENCODED-IMG-URI should return the userpic via SSL.
You can also get secure profile pics in bulk in which case you have to add the return_ssl_resources=1 param as #josh3736 mentioned.
https://graph.facebook.com/?ids=id1,id2,id3,...&fields=picture&return_ssl_resources=1
Use ***http***://graph.facebook.com/Bazze/picture?type=square instead of **https**://graph.facebook.com/Bazze/picture?type=square
Related
I am using express in one of my application. I want to make a post request to a url but it should also redirect to that url. Like when we submit a form using GET/POST method it redirect us to that url (). The only solution which is coming in my mind is
make a hidden form
redirect to that form from controller with data
Submit form using js on page load.
The only disadvantage of this solution is user will see a black page for some time till the form gets loaded.
Can anyone suggest some better solution ?
I think what you are looking for is not a "redirect." It's a solution which will send an extra request to another(or the same) URL and get the result from there instead of showing a blank page to the client for redirecting.
If that's correct, please refer to this similar question:How to forward a request to other endpoint in node.js
If you're looking for redirection (HTTP 301 & 302), the easiest way to do it is passing your data through GET URL query string. You can encrypt your data to prevent security risks.
I have site where user need to get http basic authentication prior to access the url lets say www.mybasicauthurl.com. Basic authentication can be passed in either way
Browse the url and enter the username, password on the pop-up if not done already.
Access the url as: username:password#www.mybasicauthurl.com
Now I use approach #2 supply the basic auth credential via url itself. This works fine and I can able to see the legitimate web page but
When I open firebug and see the all loaded static files it shows me something like
http://username:password#www.mybasicauthurl.com/static/jquery/jquery.js
http://username:password#www.mybasicauthurl.com/static/css/styles.css
http://username:password#www.mybasicauthurl.com/static/image/image1.png
Please note the prepend text username:password# in the url. I don't want that I just want these static files to be loaded normally like
http://www.mybasicauthurl.com/static/css/styles.css
I don't know if this is something done by the browser or apache server.
Would be appreciated even if share some useful link that I missed to google.
If you want to avoid HTTP auth on static resources, the best thing to do is to remove it server-side.
That means static resources would ba available without authentication, but if nothing important is present in the static resources, that's good.
Should be something like that:
# Apache < 2.4
<Location /static>
Satisfy Any
Allow from all
</Location>
# Apache >= 2.4
<Location /static>
Require all granted
</Location>
Another point. If the thing you do not like is the presence of username:password in the HTML source, that's effectively quite bad, and depending on the browsers versions it may or may not be supported (tends to be removed). That's a clear text information, could be intercepted or stored on the browser cache. But you are also using http:// and not https:// and this is even worse. The username:password is transmitted in clear text for each request of the browser, everybody can read this information!
When using Basic HTTP Authentification you must use HTTPS. Credentials are transmitted with a simple base64 encoding, it's just an ascii-7-trick encoding (like utf-8 is an encoding). So if you want to protect this username/password information you will also need HTTPS.
I have set my redirect uri to something like this:
../index.php?r=spotifycollegeplaylists/tab/index
I was able to setup the login using this example
https://github.com/jwilsson/spotify-web-api-php
The login is working fine, I can trigger the login popup and I am able to login. Now the problem is with the redirection. After logging in I am redirected to this URL:
../index.php%3Fr=spotifycollegeplaylists/tab/index&page=index?code=AQCtOWUzHM
See the problem with the redirect is that it has two "?" If i manually change %3F to ? and ?code to &code, the links is working okay.using the method from the API above how will I be able to fix this issue?
I've made a query on the Spotify Web API site as well, and I got a feedback from one of their support team / developer.
"I understand your issue and I would recommend that you don't have any query parameters in your callback URLs. We have a known issue in that we don't allow the Redirect URI to include parameters and hopefully this will be fixed soon. Meanwhile, you could use the state parameter that you'll get back when the code is returned through the callback."
I've recently began learning AngularJs for web development and am loving it so far. However, I'm not so sure about having hashtags withing the link when routing between views. My main concern is how Google will cache the pages on the site and whether the links will work both ways, i.e. whether users can just click www.sampledomain.com/#/orders/450 and be directed straight to the order page. Is this an okay method or is there a way to route views without the hashtag?
When I remove the hashtag, the reload the page and gets 404 error. Can anyone give me a decent explanation of what is going on. Thanks
When I remove the hashtag, the reload the page and gets 404 error
That's because in your server side code you are probably not handling a request like "www.sampledomain.com/orders/450"
You can have your server-side code handle this request by either returning a redirect to the new URL ("www.sampledomain.com/#/orders/450") or just return the correct HTML directly. The "right" solution will depend on your needs.
User can just click link with a hashtag and it will be directed straight to the order page.
Google treats links with hashtags as different URL's when the content is different. It's more about SEO then angular.js, but here is an article about that: The First Link Counts Rule and the Hash Sign - Does it Change PR Sculpting?
You might want to set Angular's $locationProvider to use html5Mode.
FTA:
$location service has two configuration modes which control the format of the URL in the browser address bar: Hashbang mode (the default) and the HTML5 mode which is based on using the HTML5 History API. Applications use the same API in both modes and the $location service will work with appropriate URL segments and browser APIs to facilitate the browser URL change and history management.
html5Mode will give you "normal" urls in modern browsers while falling back to hash bangs on older browsers.
An html5Mode url:
http://foo.com/bar?baz=23#baz
a hashbang url:
http://foo.com/#!/bar?baz=23#baz
Since 1st Oct is coming. I am working on Secure Canvas URL stuff.
My canvas url is like canvas.example.com. I can make this domain and server SSL ready without a problem.
My question is, should every http request made by canvas.example.com also change to https?
e.g. I import some JS, CSS, images from cdn.example.com to my canvas page, should i configure cdn.example.com alos can be accessed via https, or I can just leave this domain alone, still use http to get those content?
thank you very much.
You should make all content served over https or the browser will show warnings.
Facebook policies clearly mention that all the Page Tabs and iFrame Applications shal have an SSL certificate..
Any external content like images and JS included on your site shall also come from secured hostings hence the Https:// else your shall not be complying to FB Policies..
Gives the fact that FB has been very strict on punishing defaulters i dont think any app developer can take risk ..