Ruby ';拒绝在框架中显示;Facebook Oauth对话框
我在验证我的应用程序的用户时遇到一些问题。在身份验证过程中,我遇到以下错误:Ruby ';拒绝在框架中显示;Facebook Oauth对话框,ruby,facebook,oauth,sinatra,facebook-oauth,Ruby,Facebook,Oauth,Sinatra,Facebook Oauth,我在验证我的应用程序的用户时遇到一些问题。在身份验证过程中,我遇到以下错误: Refused to display 'https://www.facebook.com/dialog/oauth?response_type=code&client_id=xxxxxxxx…%2Fliketodownload.xx-xxxx.com%2Fauth%2Ffacebook%2Fcallback&scope=email' in a frame because it set 'X-Frame-
Refused to display 'https://www.facebook.com/dialog/oauth?response_type=code&client_id=xxxxxxxx…%2Fliketodownload.xx-xxxx.com%2Fauth%2Ffacebook%2Fcallback&scope=email' in a frame because it set 'X-Frame-Options' to 'DENY'.
我认为这和试图重定向到无效目标的身份验证有关,这就是它被阻止的原因。但对于Ruby和Sinatra,我不确定如何克服这一点
非常感谢
更新
我没有重定向到视图,其中的auth和add-to-page对话框通过html触发到新的目标中。现在,我试图找出适当地对用户进行身份验证和重定向的逻辑
代码如下:
post '/' do
if current_user
signed_request = FBGraph::Canvas.parse_signed_request(APP_SECRET, params[:signed_request])
if signed_request["page"] != nil
is_admin = signed_request["page"]["admin"]
is_liked = signed_request["page"]["liked"]
if is_admin #if admin, see if existing user is in db, if not create, then send to admin page
puts "user is a page admin" #logging for dev
redirect '/index'
elsif is_liked #if liked send to download end point
puts "user has liked page" #logging for dev purposes
redirect '/main/#/liked'
elsif !is_liked #otherwise make them like the page
puts "user has not liked" #logging for dev purposes
redirect '/main/#/notliked'
end
else
redirect '/addtopage/#/addtopageview'
end
elsif $auth1 && !current_user
puts "post / add to page view reached"
User.first_or_create({:uid => $auth1["uid"]}, {
:uid => $auth1["uid"],
:nickname => $auth1["info"]["nickname"],
:name => $auth1["info"]["name"],
:email_address => $auth1["info"]["email"],
:created_at => Time.now})
redirect '/addtopage/#/addtopageview'
else
# we just redirect to /auth/facebook here which will parse the @signed_request FB sends us, asking for auth if the user has not already granted access, or simply moving straight to the callback where they have already granted access.
puts "post / auth me reached"
redirect '/addtopage/#/authme'
end
end
get '/auth/:provider/callback' do
content_type 'application/json'
response.set_cookie 'test', {:value => "facebook_callback", :path => "/"}
JSON.generate(request.env)
auth = request.env["omniauth.auth"]
$auth1 = auth
#need escape here to allow user to initially authorise app without the full @signed_request?
session['fb_auth'] = auth
session['fb_token'] = cookies[:fb_token] = auth['credentials']['token']
session['fb_error'] = nil
if params[:signed_request] != nil #if the signed request isn't empty
signed_request = FBGraph::Canvas.parse_signed_request(APP_SECRET, params[:signed_request])
if signed_request["page"] != nil #if the signed request contains page data
$page_id = signed_request["page"]["id"]
is_admin = signed_request["page"]["admin"]
is_liked = signed_request["page"]["liked"]
if is_admin #if admin, see if existing user is in db, if not create, then send to admin page
puts "user is a page admin" #logging for dev
User.first_or_create({:uid => auth["uid"]}, {
:uid => auth["uid"],
:nickname => auth["info"]["nickname"],
:name => auth["info"]["name"],
:email_address => auth["info"]["email"],
:created_at => Time.now})
#insert page_id into database?
redirect '/index'
elsif is_liked #if liked send to download end point
puts "user has liked page" #logging for dev purposes
redirect '/main/#/liked'
elsif !is_liked #otherwise make them like the page
puts "user has not liked" #logging for dev purposes
redirect '/main/#/notliked'
end
else #user authed app but needs to add to page
puts "add to page view"
redirect '/addtopage/#/addtopageview'
end
else
#needs to redirect to a page telling them that they must be on facebook or that they must authorise the application
redirect '/index'
end
end
helpers do
def current_user
@current_user ||= User.get(session[:user_id]) if session[:user_id]
end
end
除了社交插件,Facebook域名不能
iframed
,为什么
出于安全原因,例如,假设您登录了您的Facebook帐户
我有http://example.com/xss.html
具有iframe
的http://facebook.com
通过这种方式,我可以从您的帐户中窃取或hi jack
敏感信息,如fb\U dtsg
令牌,对于oAuth对话框也一样
我可以将我的iframe
源代码设置为它,然后窃取您的访问令牌
:)
我希望Facebook为什么使用
header('X-Frame-Options: DENY');
谢谢你的回答。我知道点击劫持的局限性。我真正想要的是一些代码逻辑方面的帮助来解决这个问题。我已经在上面粘贴了我的更新代码,但仍然没有这样做的运气。以前用户进行身份验证并存储在cookie中的尝试效果良好,但对于cookie过期的会话,这不是一个可行的解决方案。因此,我试图检查该用户是否是当前用户(在代码中的其他地方定义),但目前我没有任何运气:(如果您能够帮助,那将是非常棒的!