From Facebook Developer Wiki

Typically, Ajax requests are done on a site by using XMLHttpRequest. However, browser security rules state that you cannot make a request to a different domain. How do we solve this?

The Facebook JavaScript Client Library uses a technique called Iframe Cross Domain Communication. Basically, it uses everything after the hash in a URL request to send a message from one domain to another. This technique is used in multiple places:

• Fetching the login status
• Making API requests in order to display XFBML
• Communicating from the login dialog back to the main site

Read a detailed description of the theory behind cross domain communication

For example, here's how the login status fetch works: