Home/ Questions/Q 8000541
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-04T15:49:47+00:00

My main javascript (and so all the static content) is included from https://static.anuary.com .

  • 0

My main javascript (and so all the static content) is included from https://static.anuary.com. The URL that user is browsing is https://dev.anuary.com/somepath/.

Where does the channel file need to be, dev.anuary.com or static.anuary.com? At the moment it is http://static.anuary.com/channel.html.

I am asking because I am still getting the error that says:

Unsafe JavaScript attempt to access frame with URL
https://www.facebook.com/dialog/oauth?access_token=%5B..]&api_key=[..]&app_id=[..]&client_id=[..]&display=popup&domain=dev.anuary.com&locale=en_US&origin=1&redirect_uri=http%3A%2F%2Fstatic.ak.facebook.com%2Fconnect%2Fxd_arbiter.php%3Fversion%3D6%23cb%3Df3ac7a0544%26origin%3Dhttp%253A%252F%252Fdev.anuary.com%252Ff373e908a8%26domain%3Ddev.anuary.com%26relation%3Dopener%26frame%3Df312def42c&response_type=token%2Csigned_request&scope=email%2Cuser_birthday%2Cuser_likes%2Cuser_interests%2Cpublish_stream&sdk=joey
from frame with URL
http://dev.anuary.com/658fe23c24564ac978c31d167549c4ce8b36686d65a78ad99bfb38765d46e232/.
Domains, protocols and ports must match.

In response to @dtbarne:

Well, that’s the thing – I still don’t know, because I’ve tried bowth ways and any in case it produces the same error:

Unsafe JavaScript attempt to access frame with URL
https://www.facebook.com/dialog/oauth?access_token=%5B..]&api_key=[..]&app_id=[..]&client_id=[..]&display=popup&domain=dev.anuary.com&locale=en_US&origin=1&redirect_uri=http%3A%2F%2Fstatic.ak.facebook.com%2Fconnect%2Fxd_arbiter.php%3Fversion%3D6%23cb%3Df1ee31b93%26origin%3Dhttp%253A%252F%252Fdev.anuary.com%252Ff9359b2f%26domain%3Ddev.anuary.com%26relation%3Dopener%26frame%3Df18e94f9c4&response_type=token%2Csigned_request&scope=email%2Cuser_birthday%2Cuser_likes%2Cuser_interests%2Cpublish_stream&sdk=joey
from frame with URL
http://dev.anuary.com/658fe23c24564ac978c31d167549c4ce8b36686d65a78ad99bfb38765d46e232/.
Domains, protocols and ports must match.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    As you said yourself, this error is not fatal, and is meant is a warning to the user that something fishy might be happening.

    Facebook also marked this issue as By Design in their bugs system: Bugs > Unsafe JavaScript attempt to access frame with URL….
    Also, there are plenty of threads here on stack overflow about this, for example: Facebook Authentication – Unsafe JavaScript attempt to access frame with URL.

    Now that we know that this “error message” is unavoidable, use the channel as you wish, as long as everything works for you.
    You don’t even need to use the channel, as it states in the documentation:

    The channelUrl parameter is optional, but recommended. Providing a
    channel file can help address three specific known issues. First,
    pages that include code to communicate across frames may cause Social
    Plugins to show up as blank without a channelUrl. Second, if no
    channelUrl is provided and a page includes auto-playing audio or
    video, the user may hear two streams of audio because the page has
    been loaded a second time in the background for cross domain
    communication. Third, a channel file will prevent inclusion of extra
    hits in your server-side logs. If you do not specify a channelUrl, you
    can remove page views containing fb_xd_bust or fb_xd_fragment
    parameters from your logs to ensure proper counts.

    But it also states that:

    The channel file addresses some issues with cross domain communication
    in certain browsers.

    So it’s up to you to decide.
    I personally recommend to use the channel and to serve the file from your regular server and not from the static servers.
    You should however set the output to have a long caching expiration date so that your server won’t get a lot of requests for this file, as they mention in the JS SDK documentation page:

    <?php
   $cache_expire = 60*60*24*365;
   header("Pragma: public");
   header("Cache-Control: max-age=".$cache_expire);
   header('Expires: ' . gmdate('D, d M Y H:i:s', time()+$cache_expire) . ' GMT');
?>
<script src="//connect.facebook.net/en_US/all.js"></script>

    (php example, but can be done with any language).

    Hope this answers clarifies things for you.

    • 0