I created an app and an offline access token so I could display a news feed on my website without requiring a Facebook login. I created two test versions in PHP and JavaScript that work fine. But I took down the JavaScript version because I was concerned about the lack of security in explicitly stating the access token in a client-side script. Is server-side the only way to go for security reasons?
I think you are correct to take out your access token from javascript. As long as that access token is valid - even if it hasn't been obtained with offline_access permissions - it can be used to perform actions on behalf of that user/app/page. All you need to make calls is the user/app/page ID which is easily obtainable and a valid access token...
I recommend you leave your access token management to your server-side scripts. Perhaps making ajax calls to refresh the posts at regular intervals...
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.