Manualshelf

Reference Guide

ManualsBrandsFacebook ManualsSoftwareFacebook 2008 FBML
41424344454647484950
facebook FBML Reference Guide Page 46 of 159
Notes
Currently, Facebook requires Flash version 9.0.0 for all <fb:swf> tags.
Make sure that the flashvars parameter is all lowercase. Some sources of embedded links capitalize the
V, which does not work on Facebook.
Currently, Facebook wraps the resultant Flash object in a <div> tag, so despite the fact that the
embed/object tag is not block-level, consecutive <fb:swf> tags will appear one above the other instead
of side-by-side.
To verify that your Flash object was loaded from a Facebook page, do the following. For security, this
technique does not embed your secret key in your Flash app:
Get all the parameters whose names start with fb_sig_. (Do not include the fb_sig parameter itself.) In Flex use
Application.application.parameters to do this.
Strip the fb_sig_ prefix from each, and make sure the keys are lowercase.
Create a string of the form param1=value1param2=value2param3=value3, etc., sorted by the names (not the
values) of the parameters. Note: Do not use ampersands between the parameters.
Pass this string to your server, where your secret key is stored.
On your server, append your application secret key to the string that was passed in. The following is returned:
param1=value1param2=value2param3=value3myappsecret
On your server, create an MD5 hash of this string.
Return the MD5 hash from your server to your Flash object.
In your Flash object, compare the returned hash with the fb_sig parameter that was passed in. If they are equal,
then your Flash object was loaded by Facebook. (Or by someone who stole your secret key.)
While the above technique doesn't embed your secret in the Flash object, what you're doing is making a public
Web service to sign parameter strings with your secret and then embedding its address in your Flash object. This
is just as bad as publishing your secret key (except you do the MD5 computation for any malicious clients).
What you want to do is send all the parameters to the Web server (including fb_sig) and have it verify the
signature internally and respond with either OK or NOT_OK.
See Also
fb:flv
fb:mp3
www.yapish.com