(This post was modified on 4/17/11 with another helpful tip. See the note between Fix 2 and 3 below.)
Some folks may consider the Facebook iFrame issue resolved, but it’s not quite. For one thing, some apps pop the viewer out of their secure login without warning. On the other hand, some apps are polite enough to ask if you want to switch to an unsecure login to view, while others leave you in a secure login and work just fine. Here’s what you need to know about iFrame apps and why it matters where you store your content files.
In my recent post Are Facebook Business Pages Too Complex for New Users? I lamented the chaos caused by the Facebook iFrames fiasco when a perfect storm converged between the deadline for creating FBML tabs on Facebook business (fan) pages, and the grassroots-generated issue of using a secure login (https) while surfing Facebook to keep hackers from tapping into your account.
The problem is that iFrame content that is stored on an unsecure host (non https) cannot be displayed properly when a Facebook user is logged in using a secure connection (https). Let me break that down for you.
What is a Secure Login?
A secure login requires you to use https at the beginning of the URL. Your entire session on that site is then encrypted and any content you send or receive is across a secure connection where hackers can’t see or steal it. Online banking and shopping carts use a secure login.
What is iFrame?
An iFrame is an inline frame. It literally provides a frame around other code that will be displayed on a website. That other code is embedded inside the frame.
What is an iFrame app?
It’s a little application that allows you to use iFrames on Facebook. Several companies and a few generous coders have created apps for you to use.
What is iFrame Content?
An iFrame wraps around content that is coded like a regular web page. That content can be in several coding languages, the most common of which is HTML. Facebook had its own language known as FBML. The most recent iteration of that is XFBML, which is specifically for using in iFrames.
Where You Host iFrame Content Matters
Like any website page, the iFrame content must be stored on a host server. For a Facebook viewer using a secure login to see that content on a Facebook business page, the content must be stored on a secure host. (The app calls the content, which is stored on an independent host, into the Facebook page.)
Most folks with websites do not host them on a secure server. So, if they are a DIYer like me, they can’t create their own page, host it on their server, and have an app make it appear on their Facebook business page without it popping the Facebook user out of their secure login. That’s any app.
Nor can you hire a designer to create the page and host it on your unsecure server without having the same issue.
You have several choices when it comes to dealing with this issue. You’ll have to decide which one works best for you and your budget.
Fix 1. Hire a designer who specializes in creating Facebook pages, like Hugh Briss at Social Identities, who will also host the page for you on a secure server.
Fix 2. Create the page yourself or hire a designer, and then host the page on a secure server like Amazon S3.
(Just added on 4/17/11 – HyperArts reported a bug to Facebook. If your iframe content is stored on a secure server, but is calling in photos stored on your unsecured site, the result will be as if the entire content is on an unsecured host. So, store all of your iframes content, including images, on a secured host for Fixes 1 and 2 to work.)
Fix 3. Create the page yourself or hire a designer, and then host the page on your unsecure server and use an app that detects the viewer’s login and asks if they want to switch to an unsecure login to view your page.
Fix 4. Create the page yourself or hire a designer, and then host the page on your unsecure server and hope no one notices that viewing your Facebook business page just popped them out of their secure login without warning.
If you use Facebook and have a business page, or plan to have one in the future, follow Mari Smith on Facebook. In the sidebar of her page, you will see several tabs that show icons of all the different iFrame apps she is using. One of those tabs is a link to her Big List of Apps page (on Facebook). Go there to see what she says about each iFrame app. (There are more types of apps listed on the page too.) Then, go to the app’s site and ask how they handle the secure login issue.
Some apps are totally free and have no ads. Some are free up to a certain number of fans, and some are strictly paid. So, check the cost too.
It seems that Facebook is going to stick with iFrames and has let its users fend for themselves on this issue. Do what works best for you and your budget, and what you can be at peace about with your audience.