As you can tell, this is going to be a nice and easy topic.

Got the go-ahead to deploy Facebook Connect to the site I'm working on, everything certified "Works on Dev" so go to push it to the UAT servers.

This environment is load-balanced and has an F5 firewall sitting in front of it, and proceeded to fall over in spectacular fashion.

The bizarre thing is that FireFox and Chrome are happy, while IE (surprise) throws back the mystic error "Redirect Required" with content of

<meta http-equiv="refresh" content="0; url=[MY URL]>

Hmmm.

Facebook xd_receive and Cross Domain Communication

Facebook Cross Domain comms is based on using IFrames to transport data, see http://msdn.microsoft.com/en-us/library/bb735305.aspx for a full explanation.


On investigation of the Big IP logs, we could see the raw request was flagging a Cross-Domain Scripting attack for the IE request (but not for the FF request). 

My gut-feel is that this could be as a result of an IE security patch which puts a whole lot of extra stuff in the Form variables which then confuses Big IP, but this is a complete and utter guess.

The solution?  Patch a hole in the Firewall.  So not really a solution I'm afraid.