4

I have an iframe FB app. We have three places where we develop it: My localhost, stage server where we test the app, production server. Localhost and production have HTTPS. Localhost and stage apps have sandbox mode enabled. All versions of app are identical, code is the same. Stage and production are totally the same server machine with the same settings except of the HTTPS.

Now what is happening only at my stage server app: When I click on something where jQuery UI dialog should be summoned, it raises following error in my Firebug: Permission denied to access property 'Arbiter'. No dialog is summoned then. It's raised in somehow dynamically loaded canvas_proxy.php, within this code:

/**
 * Parses the fragment and calls Arbiter.inform(method, params)
 *
 * @author ptarjan
 */
function doFragmentSend() {
  var
    location = window.location.toString(),
    fragment = location.substr(location.indexOf('#') + 1),
    params = {},
    parts = fragment.split('&'),
    i,
    pair;

  lowerPageDomain();

  for (i=0; i<parts.length; i++) {
    pair = parts[i].split('=', 2);
    params[decodeURIComponent(pair[0])] = decodeURIComponent(pair[1]);
  }
  var p = params.relation ? resolveRelation(params.relation) : parent.parent;

  // The user is not inside a frame (probably testing on their own domain)
  if (p == parent || !p.Arbiter || !p.JSON) {
    return;
  }

  p.Arbiter.inform(
    'Connect.Unsafe.'+params.method,
    p.JSON.parse(params.params),
    getBehavior(p, params.behavior));
}

The line if (p == parent || !p.Arbiter || !p.JSON) { raises it. My script code linking the JS API looks like this:

<script src="https://connect.facebook.net/en_US/all.js#appId=APPID"></script>

Have anyone any clue why this could be happening? I found this and this, but these issues doesn't seem to be helpful to me (or I just don't get it). Could it be because of the HTTPS? Why it worked the day before yesterday? I am desperate :-(

Community
  • 1
  • 1
Honza Javorek
  • 8,566
  • 8
  • 47
  • 66
  • 1
    Not yet. We are waiting a bit if it's permanent or if it's some kind of Facebook Platform turbulence. – Honza Javorek Jan 07 '12 at 13:51
  • Is there a bug for this submitted yet to Facebook? – Jared Hales Jan 31 '12 at 16:30
  • Could it be a document domain issue? – Dai Bok Feb 01 '12 at 13:43
  • @DaiBok I am very sorry, but I don't understand much the words "document domain issue". What exactly do you mean by this? Thank you. – Honza Javorek Feb 03 '12 at 20:33
  • Have you heard of same origin policy? Sometimes when creating iframes, especially dynamically, they may be created under a different document domain and you land up getting permission errors , have a read through this, https://developer.mozilla.org/En/Same_origin_policy_for_JavaScript and there are quite a few solutions and fixes on google. – Dai Bok Feb 06 '12 at 09:37
  • @DaiBok Yes, I heard about the same origin policy, I didn't realize it could be related. And I am still not sure, as our app doesn't do any non-standard cross-domain handling (ajax, nor iframes), we do pretty common stuff on top of the Facebook platform, which is of course built itself upon some cross-domain things. And the same app works just folder away (but with SSL) completely flawlessly. Thank you for suggestion, I'll investigate this when I have time. – Honza Javorek Feb 06 '12 at 15:15
  • Could this: http://stackoverflow.com/q/7206587/196307 have anything to do with it? (Result of a quick Google search for "Permission denied to access property 'Arbiter'") – Ashley Strout Feb 12 '12 at 16:37

1 Answers1

7

whenever you have a permission denied message and you are dealing with frames or iframes, it's a document domain issue. One document belongs to domain x and the other is domain y. And notice that www.domain.com and domain.com are not the same document domains!

When you are tapping into the DOM of one framed document from another one, (whether it is for the purpose of changing the values of a page element or simply reading the values of some hidden variable or url etc), you will get a permission denied message unless both framed documents are served from the same/identical domains.

So, if one frame belongs to www.mydomain.com and the other happens to be just mydomain.com or www.someotherdomain.com, you get that bloody permission denied error.

And there is no way around it. And If there were, the identity theft problem would have sky-rocketed in no time.

Average Joe
  • 4,521
  • 9
  • 53
  • 81
  • It seems this is really the problem. However, it also seems the issue is on Facebook's side. I see solution of my problem in this answer http://stackoverflow.com/a/7951175/325365 :-( – Honza Javorek Feb 15 '12 at 17:43
  • Just to note, it is possible to change the document domain, as long as they're on the same domain. See https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy – james Jun 20 '14 at 11:13