Notes on using fb:swf in FaceBook

In facebook groups or discussions… I saw plently of developers struggling to embed fb:swf using FBML.

An example for them to make their life easier

<fb:swf swfsrc=”SRC_URL” allowscriptaccess=”all”
bgcolor=”#ECECEC” id=”some_id” wmode=”transparent” SWLIVECONNECT=”true”
flashvars=”serverPath=http://dynamic_url?fbid=<%=uid%>&some_params=blahblah” height=”200″ width=”382″
imgsrc=”img_url_at_beginning” />

The other Common Wiki Notes for this to be noted:

• Currently, Facebook requires Flash version 9.0.0 for all <fb:swf> tags.
• Make sure that the flashvars parameter is all lowercase. Some sources of embedded links capitalize the V, which does not work on Facebook.
• Currently, Facebook wraps the resultant Flash object in a <div> tag, so despite the fact that the embed/object tag is not block-level, consecutive <fb:swf> tags will appear one above the other instead of side-by-side.
• To verify that your Flash object was loaded from a Facebook page, do the following. For security, this technique does not embed your secret key in your Flash app:

1. Get all the parameters whose names start with fb_sig_. (Do not include the fb_sig parameter itself.) In Flex use Application.application.parameters to do this.
2. Strip the fb_sig_ prefix from each, and make sure the keys are lowercase.
3. Create a string of the form param1=value1param2=value2param3=value3, etc., sorted by the names (not the values) of the parameters. Note: Do not use ampersands between the parameters.
4. Pass this string to your server, where your secret key is stored.
5. On your server, append your application secret key to the string that was passed in. The following is returned: param1=value1param2=value2param3=value3myappsecret
6. On your server, create an MD5 hash of this string.
7. Return the MD5 hash from your server to your Flash object.
8. In your Flash object, compare the returned hash with the fb_sig parameter that was passed in. If they are equal, then your Flash object was loaded by Facebook. (Or by someone who stole your secret key.)

While the above technique doesn’t embed your secret in the Flash object, what you’re doing is making a public Web service to sign parameter strings with your secret and then embedding its address in your Flash object. This is just as bad as publishing your secret key (except you do the MD5 computation for any malicious clients). What you want to do is send all the parameters to the Web server (including fb_sig) and have it verify the signature internally and respond with either OK or NOT_OK.