Keeping Up With Facebook Platform Changes

Red Bull is renowned in some circles for the strength of its Facebook business page, particularly among marketers who admire its clear "call to action" for visitors to click that "Like" button. Yet, thanks to the pace of change on the Facebook platform, which renders one day's best practices obsolete the next, the Red Bull page is broken as I write this--or at least appears broken to some users.

I point this out not to ridicule Red Bull's Web developers but to sympathize with them. Many Facebook applications and page tabs that were created in the last month or two to take advantage of one change in the Facebook platform (the FBML to IFrames shift) have been tripped up by another change ("secure browsing"). I've spoken with many small website operators who rushed to create or redesign their Facebook page tabs to fit the new specification and now are discovering that their pages don't display properly for everyone.

Instead, they get an error like the one I saw when I tried to visit the Red Bull page: "Sorry! We can't display this content while you're viewing Facebook over a secure connection (https). Would you like to temporarily switch to a regular connection (http) to use this app?" This goes to show it's not only the little guys who got caught flatfooted.

What is happening here is that Red Bull has created a welcome message to be viewed when a new person visits the page, with lots of colorful errors pointing to the "Like" button at the top of the page and the message "LIKE OUR PAGE. HINT, HINT." There is no prize for subtlety here--the virtue is in removing all doubt about what visitors are being asked to do. I went to this page in the first place looking for outstanding examples of this "reveal tab" effect, where special offers are typically displayed once you've signed up. I'd found it on a list of 40 Highly Effective Facebook Business Pages.

Previously, the only way to create a page tab was to program it in Facebook Markup Language (FBML). You could serve a page as FBML from a remote site, but Facebook would proxy it--importing the content from your site, processing it, and then serving it from Facebook.com. The IFrame integration method is more flexible in many ways, but it effectively means you are viewing two pages at the same time--the outer facebook.com page and a second page embedded within the IFrame. In this case, the content is coming from an external Web page on a server that appears not to have an SSL certificate installed. If a user is browsing in https mode and no matching https address has been supplied for a tab's content, Facebook refuses to display mixed secure and insecure content. So the default content for the Red Bull Facebook page--the bit that's supposed to convert you to everlasting fandom--isn't shown if you're an https user unless you click the "okay, show me this horribly insecure content" button.Note that "secure" in this context means encrypted--users operating in this mode are protecting the content of their status posts more or less the same way they might protect the transmission of their bank account passwords. They aren't necessarily any more protected against malware, scams, privacy-sucking applications, and other ills of the Internet. But I suspect the perception may be otherwise.

To give the people at Facebook credit, refusing to display unencrypted content within an encrypted page is one way they are trying to avoid some potential security risks of the IFrame integration model. Also, even if Facebook didn't prevent the IFrame from displaying, Internet Explorer users would get a warning about mixed secure and insecure content that would tend to scare them off (some other browsers are more laid back about this).

The problem is easily solved by registering and installing an SSL certificate for your server--a slight stumbling block for some small time operators, in terms of technical complexity and expense, but no biggie for a brand like Red Bull--and adding the https address for your content to the "Secure Tab URL" field in the Facebook app registration form. Facebook then serves the https version as the IFrame content to users browsing in that mode.

One catch: There was no such field on the form until about a month ago. Facebook introduced its secure browsing feature in late January and added IFrame page tab support on February 10. At the time, the potential overlap between these two changes was not widely noted. About mid-March, I started hearing from people who had followed my tutorial on creating an IFrame-style page tab and were having trouble accessing their own content because they had switched on the https browsing feature. At one point, Facebook's solution was not to display the unsecured tabs at all for https users, so it seemed to some like their tabs had simply disappeared.

Going back and looking at old screen shots, I can see that there was a way developers could have specified a secure URL on the old form. Previously, there was a way of specifying a secure "canvas URL" for your applications, and the form had you specify your tab url as a file or subdirectory below the one for the canvas. However, it wasn't clear why you would need to do so unless your app was handling particularly sensitive information.

Facebook advised developers of the need to secure an SSL certificate in a blog post on Friday, but as far as I can tell this is the first time they've highlighted the issue. According to the post, the number of Facebook users browsing with https is up to 9.6 million and counting. That's out of about 500 million active users, but in my experience it includes many of the most active among them--not people you want to snub or make jump through hoops to get to your content.

This is just another reminder of the hazards of building business applications on a platform owned by someone else, one that changes according to some else's schedule and plans. You really have to stay on your toes if you want to keep up. This may require working late hours and drinking more Red Bull.

Recommended Reading: