Can I require the use of HTTPS for canvas urls to protect signed_request contents?

Question

I am writing a new canvas app using the iframe approach. My backend supports both HTTP and HTTPS for the canvas responses, but it seems by default Facebook puts users on HTTP and sends all the important credentials (i.e. access tokens in the signed_request payload, etc) directly in plain text over HTTP. This is of course a security vulnerability on shared networks (coffee shops, offices, etc, where it would be trivial to sniff the access tokens.)

How can I force all my canvas requests to operate over HTTPS, and protect my users credentials?

I think all developers should want - or be required - to do this. While I am new to Facebook development, I am surprised that they would not be using HTTPS for all direct transmissions of user access tokens. Oauth 1.0 had mechanisms to enable the use of access tokens over HTTP (since requests had to be signed by the client application) but OAuth 2.0 did away with all of that in favor of using HTTPS for any request with an embedded credential. Facebook helped design OAuth 2.0 and is, afaics, undermining the security of the design by deviating from HTTPS usage in canvas requests.

Answer 1

You can do this easily using PHP or JavaScript. All you have to do is detect if the user is using HTTP and redirect them to HTTPS instead. Example:

<script>
if ( window.location.protocol == 'http:' ) {
   window.top.location = 'https://facebook.com/yourapp';
}
</script>

The above code will check if the iframe is loaded using HTTP. If it is, it will reset the parent URL (i.e. facebook) to point to the HTTPs version of your website (hence loading the iframe using HTTPS too).