Secure Canvas - Should every http request on the canvas page also change to https?

Question

Since 1st Oct is coming. I am working on Secure Canvas URL stuff.

My canvas url is like canvas.example.com. I can make this domain and server SSL ready without a problem.

My question is, should every http request made by canvas.example.com also change to https?

e.g. I import some JS, CSS, images from cdn.example.com to my canvas page, should i configure cdn.example.com alos can be accessed via https, or I can just leave this domain alone, still use http to get those content?

thank you very much.

score 2 · Answer 1 · answered Sep 13 '11 at 07:16

2

You should make all content served over https or the browser will show warnings.

answered Sep 13 '11 at 07:16

bkaid

51,465
22
112
128

score 2 · Answer 2 · answered Sep 13 '11 at 08:03

Facebook policies clearly mention that all the Page Tabs and iFrame Applications shal have an SSL certificate.. Any external content like images and JS included on your site shall also come from secured hostings hence the Https:// else your shall not be complying to FB Policies.. Gives the fact that FB has been very strict on punishing defaulters i dont think any app developer can take risk ..

Secure Canvas - Should every http request on the canvas page also change to https?

2 Answers2