App tabs disappearing in HTTPS-Only mode


You may have heard the buzz a little while back about how Facebook now allows users to select “HTTPS-Only” mode which forced Facebook to run over SSL. This is good news for users, but has a pretty big impact on developers, some of which I mentioned here.

We knew that users would see a warning if they try to access your non-SSL canvas app and they’re in HTTPS-Only mode, but something some of you may not have realized is that non-SSL fan page tabs will not display at all.
Users won’t get a warning that the tab they’re about to view is non-SSL – they won’t even see the tab in the list of navigation options. If they try to access it directly via link, they will be redirected back to the fan page’s wall.

This appears to be intentional behavior, not a bug, although it was only glossed over very quickly in a Developer Blog post

“Please take some time to add a “Secure Tab URL” as if you have not, we will not be able to show your tab to users browsing Facebook over HTTPS.”

So if you’re being more secure and browsing in HTTPS-Only mode and can’t figure out why a bunch of your tabs are missing, that’s why. What this ultimately means is that every developer should account for the extra time and cost involved in getting an SSL certificate for fan page tabs as well as proper canvas apps.

  • Chris


  • Thanks in advance. Your blog is very useful and pretty for me.
    I wanted to ask for another disappearance. Know why the app tabs are not browsing with safari on the iphone?

    • Hmmm… I don’t remember app tabs working at all on the mobile web version of the site. They might be working to change that, but in general it’s not something they currently support, I don’t think.

  • Incidentally, what’s the point of that thing that shows last logins, if the user (and presumably anyone who’s hacked the users account) can remove the entries?

  • Sorry this is took so long to reply. Disqus has been preventing me from approving comments from the web interface for some reason – really frustrating.

    Sure, you can certainly run all of your apps under one main SSL – that will be fine if you run all your own servers, host any/all client app, etc. You could have:

    and so on. It only really matters if you’ve got stuff that can’t mix in the same web space.