Snipe.Net Geeky, sweary things.

Using SSL in a Facebook Application Tab

U

In short – you can’t. Or at least not if you want to be PCI compliant. In order to pass a user’s personal information through a secure encrypted channel, you will need to collect that data on an IFRAME application page. No two ways about it. Here’s why:

ALL Tabs are FBML

Even if your application is an IFRAME application, the application tab will be FBML. This is just the way Facebook has set it up, presumably to prevent unethical developers and page owners from trying to execute some nefarious JavaScript on an unsuspecting page visitor.

Why This Matters

Besides the obvious reasons such as the castrated JavaScript that you’re limited to in FBML (Mock Ajax/FBJS), there’s another gotcha that it took me a while to uncover.

Say you have an application tab on a Facebook fan page, and that tab is meant to collect personal user data, for example an entry form for a contest or sweepstakes. You need to collect name, address, contact information, possibly age – and so on, all of which qualify as PII, or Personally Identifiable Information. This means that you’re supposed to be sending this information over SSL so that the user’s personal data is never transmitted over the wire unencrypted.

You would normally use Ajax to submit a form like this, otherwise when the user submits, they will be taken out of the Facebook site and onto whatever form handler you’ve set in your HTML form.

When you submit a form using Mock Ajax in FBML, Facebook runs that form submission through a proxy page, specifically called ajax-proxy.php. The problem comes in that there is no SSL version of this proxy page, so instead of the user’s data traveling like this:

Form → SSL → Your Form Handler

It instead goes through something like this:

Form → Non-SSL Ajax Proxy → SSL → Your Form Handler

This means that if you are working on applications that must endure any kind of formal PCI compliance or penetration testing, you WILL NOT PASS, since there is a point in that process where the user’s data is being transmitted in plain text and could potentially be intercepted.

The only way round this is to set your application up as an IFRAME application, and put the form on a page within the app, not on a tab. From there, you can use normal Ajax to post over SSL and the communication will not be proxied by Facebook.

About the author

snipe

I'm a tech nerd from NY/CA now living in Lisbon, Portugal. I run Grokability, Inc, and run several open source projects, including Snipe-IT Asset Management. Tweet at me @snipeyhead, skeet me me at @snipe.lol, or read more...

By snipe
Snipe.Net Geeky, sweary things.

About Me

I'm a tech nerd from NY/CA now living in Lisbon, Portugal. I run Grokability, Inc, and run several open source projects, including Snipe-IT Asset Management. Tweet at me @snipeyhead, skeet me me at @snipe.lol, or read more...

Get in Touch