How to fix CSP issues with facebook messenger-checkbox

facebook facebook-javascript-sdk facebook-messenger facebook-messenger-bot
ibaguio picture ibaguio · Apr 30, 2017 · Viewed 9.1k times · Source

I'm trying to make facebook messenger checkbox work, I've added the following code to my html

But whenever I refresh the page, the messenger checkbox doesn't show up, instead I get an error in chrome's console

Refused to display 'https://www.facebook.com/v2.6/plugins/messenger_checkbox.php?allow_login=tr…&user_ref=1tYPmZaYMKXKfcZiUtaENYTXH3H49OTP7tJrt5fyobCgepqziMA0Z037T5gto9o3'
in a frame because an ancestor violates the following Content Security Policy directive: 
"frame-ancestors https://www.facebook.com".

Anyone might know how to fix this? Been stuck for the last 24hrs.

Edit: Docs states that i should add my domain as whitelist, i already did, but this error still persists.

Answer

adamc picture adamc · Aug 11, 2017

There are two solutions to this problem:

  1. Install the chrome Disable Content-Security-Policy plugin and use it to disable content security policy headers when viewing the page where your checkbox plugin is used

  2. Whitelist the domain (including the protocol and port) of the page where the plugin is hosted. When testing this locally, I was hosting the plugin on a nodejs app which was running on http://localhost:3000/signup. I was also using ngrok to allow me to expose my local server remotely so that I can handle the opt-in callback on my local machine. It turns out that you must whitelist the domain that you entered into your browser URL field to access the page. This might seem obvious, but I kept trying to use the ngrok domain, which looked like http://abc364ef.ngrok.io and didn't work. In my case, since I was accessing the page through http://localhost:3000/signup, I had to use the following whitelist command:

    curl -X POST -H "Content-Type: application/json" -d '{
  "whitelisted_domains":[
    "http://localhost:3000"
  ]
}' "https://graph.facebook.com/v2.6/me/messenger_profile?access_token=PAGE_ACCESS_TOKEN"

    I also had to use this same domain in the origin attribute of the <div class="fb-messenger-checkbox" block. I discovered afterwards that I could've actually used the ngrok domain, however, I would've had to access the page using http://abc364ef.ngrok.io/signup, which was too slow, so I preferred to stick with http://localhost:3000.

Related questions

Facebook Messenger API pages_messaging permission

I am creating an application where I need a user to be able to grant us access to their facebook page so that all incoming messages can flow through our application (as well as outgoing). I have this all working …

Read More
How to add facebook share button on my website?

I have this code that suppose to work, but doesn't work. If this helps you in anyway that would be great. <script src='http://connect.facebook.net/en_US/all.js'></script> <p><…

Read More
How to get access token from FB.login method in javascript SDK

I need to get the access token from FB.login method in Javascript SDK. My login code is FB.login(function(response) { if (response.session) { if (response.perms) { } else { // user is logged in, but did not grant any permissions alert("…

Read More