1

When I try to use Facebook login on this site:

https://parlay.io

by clicking the button at the top of the page, I get a popup with the URL:

https://www.facebook.com/login.php?skip_api_login=1&api_key=501604519940587&signed_next=1&next=https://www.facebook.com/v2.2/dialog/oauth?redirect_uri=https%3A%2F%2Fparlay.io%2F_oauth%2Ffacebook%3Fclose&display=popup&state=eyJsb2dpblN0eWxlIjoicG9wdXAiLCJjcmVkZW50aWFsVG9rZW4iOiJxd01acHRSb3hGX0hDM1FEV25vSVVSVXlDZTZWcWVFNUhrUHZVcHA5ZWhUIiwiaXNDb3Jkb3ZhIjpmYWxzZX0%3D&scope=email%2Cuser_friends&client_id=501604519940587&ret=login&cancel_url=https://parlay.io/_oauth/facebook?close&error=access_denied&error_code=200&error_description=Permissions+error&error_reason=user_denied&state=eyJsb2dpblN0eWxlIjoicG9wdXAiLCJjcmVkZW50aWFsVG9rZW4iOiJxd01acHRSb3hGX0hDM1FEV25vSVVSVXlDZTZWcWVFNUhrUHZVcHA5ZWhUIiwiaXNDb3Jkb3ZhIjpmYWxzZX0%3D#=&display=popup

I enter in my Facebook creds and submit. In Safari, this works and login completes. In Chrome, the popup goes blank but stays open. The popup URL is

https://parlay.io/_oauth/facebook?close&code=...

The popup console says:

Uncaught SecurityError: Blocked a frame with origin "https://parlay.io" from accessing a frame with origin "http://parlay.io". The frame requesting access has a protocol of "https", the frame being accessed has a protocol of "http". Protocols must match.

The error occurs on line 23:

enter image description here

I don't know why this popup is trying to access http://parlay.io. I do not have http or http://parlay.io as a setting anywhere in my app.

This is using the 'popup' style oauth. When I switch to 'redirect' style in Chrome, the first time I login, I get this error on the server:

{"line":"398","file":"oauth_server.js","message":"Error in OAuth Server: redirectUrl (http://parlay.io/) is not on the same host as the app (https://parlay.io/)","time":{"$date":1435164688847},"level":"warn"}[parlay.io]

and I get redirected to same signin page. The second time I click login, it works. The second click can be automated with:

enter image description here

3
  • 1
    What about the app settings on the facebook side? Might you have an http over there? Jun 24, 2015 at 3:03
  • 1
    @Loren perhaps, initially you set your ROOT_URL to use http://. You may have something laying over in your cache if facebook is also using a https:// url to call-back. Try using an incognito chrome window or Safari in private mode to test it
    – Tarang
    Jun 24, 2015 at 6:13
  • Hey, cloak and tail.sh! Small world. Thanks guys, all the URLs in the facebook app settings on developer.facebook.com are https. Same behavior in Chrome incognito. Login works in Safari, no SecurityError
    – Loren
    Jun 24, 2015 at 13:41

1 Answer 1

1

I had the exact same problem, under similar conditions (Meteor 1.3.x, ROOT_URL set to https, FB/Twitter apps set to https.)

What fixed the problem for me was to set up my site to always redirect HTTP requests to HTTPS. I am using Cloudflare, so I followed the instructions here:

https://support.cloudflare.com/hc/en-us/articles/200170536-How-do-I-redirect-all-visitors-to-HTTPS-SSL-

After making the change, sign-in worked like a charm across different machines. Final results here:

https://goodbyegunstocks.com

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Not the answer you're looking for? Browse other questions tagged or ask your own question.