I'm hoping this is just a bug on Facebook's end that will be fixed soon, but in my Facebook Connect app I'm launching the dialogue FB provides to make a post. This dialogue is launched on a page with an SSL connection. In this dialogue the profile pic for some users comes up with a security warning while others display correctly. I'm already setup to use Facebook's SSL javascript file instead of the HTTP file.
A:
Also check whether you are serving the xd_receiver under ssl. The debugging hint at the bottom of this page can help you find if there are requests going to facebook other than the pictures which might not be SSL, thus confusing their determination of whether the page is under ssl: http://wiki.developers.facebook.com/index.php/Facebook_Connect_Via_SSL
I would use fiddler and see if there are other requests going to facebook which are not ssl, that will probably give you an indication of what is being missed, or if it is a bug.
dar
2010-03-26 12:16:23
Thanks for the link. The xd_receiver is setup for SSL, but that link said something about a 'return_ssl_resources=true' flag that you could set. Although I think they're talking about PHP and I'm using the Javascript API. Do you happen to know if that flag is available through the Javascript API? If so I think that could be the answer. I took a look and I couldn't find it but it may be hidden somewhere.
Adam
2010-03-26 22:06:46
A:
This is a bug at Facebook, but there's a work-around. When you use Facebook Connect to show a profile pic, you must set facebook-logo="false" on the fb:profile-pic FBML tag. (Note: the default is "true"). If you do this, and follow the instructions at facebook for using ssl, then the profile pic will be served using the correct protocol. If you leave it set to "true", then you always get the profile pics over http.
The bug is reported at http://bugs.developers.facebook.com/ as issue 5507 and possibly 7072 and 8485.
Jamey
2010-03-29 14:40:19
@Jamey: Thanks. Do you know how to set that parameter when using the Javascript API?
Adam
2010-03-29 15:34:47
@Jamey: The actual popup that is providing the status entry and the profile pic is provided by Facebook. So unfortunately I don't have a profile-pic tag to pass in this variable. Instead I'm using Facebook's streamPublish function in their Javascript API and then they do all the rest.
Adam
2010-03-30 00:17:23
@Adam: I mocked this up, and FB.Connect.streamPublish() returns images over SSL for me. Make sure you're getting both FeatureLoader.js and XdCommReceiver.js over HTTPS.
Jamey
2010-03-31 22:06:40