Fb:swf
From Facebook Developers Wiki
Contents |
[edit] Description
Renders a Shockwave Flash (SWF) object. On profile pages, an image appears first. When the user clicks the image, it turns into the Flash object. On canvas pages, the image is ignored, and the Flash object is directly included.
[edit] Attributes
| Required | Name | Type | Description | |
| required | swfsrc | string | The URL of the Flash object. The URL must be absolute. | |
|---|---|---|---|---|
| optional | imgsrc | string | The URL of the image (.gif and .jpg formats only). (default value is [1]; Note that this renders the Flash object unusable and invisible on profile pages.) | |
| height | int | The height of the image and the Flash object. | ||
| width | int | The width of the image and the Flash object. | ||
| imgstyle | string | The style attribute for the image. | ||
| imgclass | string | The class attribute for the image. | ||
| flashvars | string | The URL-encoded Flash variables. Also passes the fb_sig_ values as described in the section on Forms. | ||
| swfbgcolor | string | The hex-encoded background color for the Flash object. | ||
| waitforclick | bool | Indicates whether to autoplay the Flash object (false) when allowed. false does not work in profiles for security and aesthetic reasons, except after an AJAX call. (default value is true) | ||
| salign | string | The salign attribute from normal Flash <embed>. Specify t (top), b (bottom) l (left), r (right) or a combination (tl, tr, bl, br) | ||
| loop | bool | Indicates whether to play the Flash object continuously. Specify true or false | ||
| quality | string | Indicates the quality of the object. Specify high, medium or low. | ||
| scale | string | The scaling to apply to the object. Specify showall, noborder, exactfit | ||
| align | string | Indicates how the browser aligns the obect. Specify left, center or right | ||
| wmode | string | Indicates the opacity setting for the object. Specify transparent, opaque or window. (default value is transparent) |
[edit] Flash Variables
Facebook passes the following parameters to the SWF when it is loaded:
| Required | Name | Type | Description | |
| allowScriptAccess | string | This string is always set to "never." | ||
| fb_sig_profile | int | The uid of the user into whose profile the Flash object is being loaded; this is blank when loaded in the canvas. | ||
| fb_sig_time | int | The time when the signature was generated. | ||
| fb_sig_user | int | The uid of the currently logged in user. | ||
| fb_sig_session_key | string | The Facebook session key. | ||
| fb_sig_expires | int | The session expiration time. | ||
| fb_sig_api_key | string | Your application's API key. | ||
| fb_sig_added | bool | Indicates whether the user has added your application. | ||
| fb_sig | string | An MD5 hash of all the parameters with names that start with fb_sig_ plus your application secret. This way, the Flash object can confirm that it is being loaded into a Facebook page. (But be careful embedding your secret in your Flash application; hackers can get at it if you do.) See notes below. |
[edit] Examples
| <fb:swf swfbgcolor="000000" imgstyle="border-width:3px; border-color:white;" swfsrc='http://www.youtube.com/v/<c:out value="${nutshotData.episodeNumber}"/>' imgsrc='http://img.youtube.com/vi/${param.nutshot}/2.jpg' width='340' height='270' /> You can see it in action at The nutshOt network |
 |
[edit] Notes
- Currently, Facebook requires Flash version 9.0.0 for all
<fb:swf>tags.
- Make sure that the
flashvarsparameter is all lowercase. Some sources of embedded links capitalize the V, which does not work on Facebook. - Currently, Facebook wraps the resultant Flash object in a <div> tag, so despite the fact that the embed/object tag is not block-level, consecutive
<fb:swf>tags will appear one above the other instead of side-by-side. - To verify that your Flash object was loaded from a Facebook page, do the following. For security, this technique does not embed your secret key in your Flash app:
- Get all the parameters whose names start with fb_sig_. (Do not include the fb_sig parameter itself.) In Flex use Application.application.parameters to do this.
- Strip the fb_sig_ prefix from each, and make sure the keys are lowercase.
- Create a string of the form param1=value1param2=value2param3=value3, etc., sorted by the names (not the values) of the parameters. Note: Do not use ampersands between the parameters.
- Pass this string to your server, where your secret key is stored.
- On your server, append your application secret key to the string that was passed in. The following is returned: param1=value1param2=value2param3=value3myappsecret
- On your server, create an MD5 hash of this string.
- Return the MD5 hash from your server to your Flash object.
- In your Flash object, compare the returned hash with the fb_sig parameter that was passed in. If they are equal, then your Flash object was loaded by Facebook. (Or by someone who stole your secret key.)
While the above technique doesn't embed your secret in the Flash object, what you're doing is making a public Web service to sign parameter strings with your secret and then embedding its address in your Flash object. This is just as bad as publishing your secret key (except you do the MD5 computation for any malicious clients). What you want to do is send all the parameters to the Web server (including fb_sig) and have it verify the signature internally and respond with either OK or NOT_OK.
![[1]](http://static.ak.facebook.com/images/spacer.gif){kind=link}