Fb:swf
From Facebook Developer Wiki
Contents |
Description
Renders a Shockwave Flash (SWF) object. On profile pages, an image appears first. When the user clicks the image, it turns into the Flash object. On canvas pages, the image is ignored, and the Flash object is directly included.
You can also make API calls to Facebook directly from Flash. Check out the official ActionScript 3.0 Library for Facebook Platform for more details.
Attributes
| Required | Name | Type | Description | |
| required | swfsrc | string | The URL of the Flash object. The URL must be absolute. | |
|---|---|---|---|---|
| optional | imgsrc | string | The URL of the image (.gif and .jpg formats only). (Default value is http://static.ak.facebook.com/images/spacer.gif; Note that this renders the Flash object unusable and invisible on profile pages, if no height/width parameters are set..) | |
| height | int | The height of the image and the Flash object. | ||
| width | int | The width of the image and the Flash object. | ||
| imgstyle | string | The style attribute for the image. | ||
| imgclass | string | The class attribute for the image. | ||
| flashvars | string | The URL-encoded Flash variables. Also passes the fb_sig_ values as described in the section on Forms. | ||
| swfbgcolor | string | The hex-encoded background color for the Flash object. By default, a Flash object's background defaults to transparent, so if you want a background color, specify one for this attribute. | ||
| waitforclick | bool | Indicates whether to autoplay the Flash object (false) when allowed. false does not work in profiles for security and aesthetic reasons, except after an AJAX call. (Default value is true.) | ||
| salign | string | The salign attribute from normal Flash <embed>. Specify t (top), b (bottom) l (left), r (right) or a combination (tl, tr, bl, br) | ||
| loop | bool | Indicates whether to play the Flash object continuously. Specify true or false | ||
| quality | string | Indicates the quality of the object. Specify best, high, medium or low. | ||
| scale | string | The scaling to apply to the object. Specify showall, noborder, exactfit | ||
| align | string | Indicates how the browser aligns the obect. Specify left, center or right | ||
| wmode | string | Indicates the opacity setting for the object. Specify transparent, opaque or window. (Default value is transparent.) |
Flash Variables
Facebook passes the following parameters to the SWF when it is loaded:
| Required | Name | Type | Description | |
| allowScriptAccess | string | This string is always set to "never." | ||
| fb_sig_profile | int | The uid of the user into whose profile the Flash object is being loaded; this is blank when loaded in the canvas. | ||
| fb_sig_time | int | The time when the signature was generated. | ||
| fb_sig_user | int | The uid of the currently logged in user. | ||
| fb_sig_session_key | string | The Facebook session key. | ||
| fb_sig_expires | int | The session expiration time. | ||
| fb_sig_api_key | string | Your application's API key. | ||
| fb_sig_added | bool | Indicates whether the user has added your application. | ||
| fb_sig_ss | string | The session secret, used in place of your application's secret key for secure API calls. This is sent only to a SWF that resides within the domain or subdomain of your application's callback URL. The session secret also gets passed to a SWF object inside your Publisher. | ||
| fb_sig | string | An MD5 hash of all the parameters with names that start with fb_sig_ plus your application secret. This way, the Flash object can confirm that it is being loaded into a Facebook page. (But be careful embedding your secret in your Flash application; hackers can get at it if you do.) See notes below. |
Examples
<fb:swf
swfbgcolor="000000"
imgstyle="border-width:3px; border-color:white;"
swfsrc='http://www.youtube.com/v/xxxxxxxxxx'
imgsrc='http://img.youtube.com/vi/xxxxxxxxxx/2.jpg'
width='340' height='270' />
Notes
- Currently, Facebook requires a minimum Flash Player version of either 9.0.159.0 or 10.0.22.87 for all
<fb:swf>tags. When Adobe discontinues security updates for Flash 9 (Flash 10 is unsupported on Windows 98 and ME), it will no longer be supported anywhere on Facebook.
- Make sure that the
flashvarsparameter is all lowercase. Some sources of embedded links capitalize the V, which does not work on Facebook. - Currently, Facebook wraps the resultant Flash object in a <div> tag, so despite the fact that the embed/object tag is not block-level, consecutive
<fb:swf>tags will appear one above the other instead of side-by-side. - Facebook prevents direct script access from Flash with allowScriptAccess=none. To link or call JavaScript from your Flash object, you can use Flash
localconnectionand the fb:fbjs-bridge tag. - To verify that your Flash object was loaded from a Facebook page, do the following. For security, this technique does not embed your secret key in your Flash app:
- Get all the parameters whose names start with fb_sig. (Do not include the fb_sig parameter itself.) In Flex use Application.application.parameters to do this.
- Strip the fb_sig_ prefix from all parameters, and make sure the keys are lowercase.
- Create a string of the form param1=value1param2=value2param3=value3, etc., sorted by the names (not the values) of the parameters. Note: Do not use ampersands between the parameters.
- Separately pass this string and the fb_sig parameter itself to your server, where your secret key is stored.
- On your server, append your application secret key to the string that was passed in. The following is returned: param1=value1param2=value2param3=value3myappsecret
- On your server, create an MD5 hash of this string.
- On your server, compare the generated hash with the fb_sig parameter that was passed in. If they are equal, then your Flash object was loaded by Facebook. (Or by someone who stole your secret key.) In this case respond to the flash object with VALID or a similar code. If the signature is not valid, respond with INVALID.
