1

I created a new fb app for testing today, but can't get the login working. I am using the Javascript SDK and I can see the following error message in the console:

Insecure Login Blocked: You can't get an access token or log in to this app from an insecure page. Try re-loading the page as https://

This app is exclusively used to run tests on a local server. The site URL configured in Facebook Login > Quickstart > Web is http://localhost:3000/. I checked Facebook Login > Settings and the Enforce HTTPS switch is activated and disabled. Other apps that are still working don't have the Enfore HTTPS setting active. They only show a warning/error about the safety risks of not using HTTPS. Is there are way to deactivate this setting? I already use ngrok in a docker container during my build to test the Messenger integration. It only works because I can programmatically set the webhook url. As far as I know, the login URL cannot be programmticallly set and tools like ngrok provide only provide a dynamic address unless paid for.

Frederik Claus
  • 574
  • 4
  • 15
  • _“The site URL configured in Facebook Login > Quickstart > Web is `http://localhost:3000/`.”_ - so you have found the first place where you need to start fixing this then. – CBroe Mar 27 '18 at 12:37
  • @CBroe I don't understand what you are talking about. The app is running on port 3000 and this configuration works for all other facebook apps. – Frederik Claus Mar 27 '18 at 13:22
  • These other apps are likely older then, so that they are not affected, because they do not have that option set to Yes by default. This means you will have until March 2019 to upgrade those accordingly ... but for newly created apps, this is what you _start with_ - HTTPS mandatory. (You might go try and check whether this restriction is maybe not in place for test apps; could be they are making an exception for those.) – CBroe Mar 27 '18 at 13:28
  • @CBroe, thanks for the clarification. Using https works. What an unfortunate change. I see no point in using https for apps that are in development and will never be released because their sole purpose is to test the application during development. – Frederik Claus Mar 27 '18 at 13:52
  • A self-signed certificate will do for testing this stuff ... not even the host name will have to match the certificate, since all the relevant stuff regarding login happens in your browser anyway. – CBroe Mar 27 '18 at 16:40

0 Answers0