In short – you can’t. Or at least not if you want to be PCI compliant. In order to pass a user’s personal information through a secure encrypted channel, you will need to collect that data on an IFRAME application page. No two ways about it. Here’s why:
ALL Tabs are FBML
Why This Matters
Say you have an application tab on a Facebook fan page, and that tab is meant to collect personal user data, for example an entry form for a contest or sweepstakes. You need to collect name, address, contact information, possibly age – and so on, all of which qualify as PII, or Personally Identifiable Information. This means that you’re supposed to be sending this information over SSL so that the user’s personal data is never transmitted over the wire unencrypted.
You would normally use Ajax to submit a form like this, otherwise when the user submits, they will be taken out of the Facebook site and onto whatever form handler you’ve set in your HTML form.
When you submit a form using Mock Ajax in FBML, Facebook runs that form submission through a proxy page, specifically called ajax-proxy.php. The problem comes in that there is no SSL version of this proxy page, so instead of the user’s data traveling like this:
Form → SSL → Your Form Handler
It instead goes through something like this:
Form → Non-SSL Ajax Proxy → SSL → Your Form Handler
This means that if you are working on applications that must endure any kind of formal PCI compliance or penetration testing, you WILL NOT PASS, since there is a point in that process where the user’s data is being transmitted in plain text and could potentially be intercepted.
The only way round this is to set your application up as an IFRAME application, and put the form on a page within the app, not on a tab. From there, you can use normal Ajax to post over SSL and the communication will not be proxied by Facebook.