In short – you can’t. Or at least not if you want to be PCI compliant. In order to pass a user’s personal information through a secure encrypted channel, you will need to collect that data on an IFRAME application page. No two ways about it. Here’s why:

ALL Tabs are FBML

Even if your application is an IFRAME application, the application tab will be FBML. This is just the way Facebook has set it up, presumably to prevent unethical developers and page owners from trying to execute some nefarious JavaScript on an unsuspecting page visitor.

Why This Matters

Besides the obvious reasons such as the castrated JavaScript that you’re limited to in FBML (Mock Ajax/FBJS), there’s another gotcha that it took me a while to uncover.

Say you have an application tab on a Facebook fan page, and that tab is meant to collect personal user data, for example an entry form for a contest or sweepstakes. You need to collect name, address, contact information, possibly age – and so on, all of which qualify as PII, or Personally Identifiable Information. This means that you’re supposed to be sending this information over SSL so that the user’s personal data is never transmitted over the wire unencrypted.

You would normally use Ajax to submit a form like this, otherwise when the user submits, they will be taken out of the Facebook site and onto whatever form handler you’ve set in your HTML form.

When you submit a form using Mock Ajax in FBML, Facebook runs that form submission through a proxy page, specifically called ajax-proxy.php. The problem comes in that there is no SSL version of this proxy page, so instead of the user’s data traveling like this:

Form → SSL → Your Form Handler

It instead goes through something like this:

Form → Non-SSL Ajax Proxy → SSL → Your Form Handler

This means that if you are working on applications that must endure any kind of formal PCI compliance or penetration testing, you WILL NOT PASS, since there is a point in that process where the user’s data is being transmitted in plain text and could potentially be intercepted.

The only way round this is to set your application up as an IFRAME application, and put the form on a page within the app, not on a tab. From there, you can use normal Ajax to post over SSL and the communication will not be proxied by Facebook.




Previous post

Introducing FBMHell.Com

Next post

Embed a YouTube Playlist Using Static FBML



I’m a tech geek/dev/infosec-nerd/scuba diver/blacksmith/sword-fighter/crime fighter/ENTP/warcrafter/activist. I'm the CTO at Mass Mosaic and the CEO of Grokability, Inc. in San Diego, CA. Tweet at me @snipeyhead or read more...

  • I understand PCI compliance as it applies to merchants and credit card information. Does PCI apply elewhere?

  • It depends on the company policy. For one of our clients (huge soft drink company), all of our apps have to adhere to very specific standards if we are collecting PII of any kind. There's no law requiring you do it, but if you have a client that insists (and understandably so if they do), you have to stick to it. For this client, every app we put out has to undergo (and pass) a pretty rigorous penetration and load testing process. They will high-priority fail us (as in, app cannot launch until it's fixed) for something like this.

  • Tahuizzy

    What does SSL facebook road block mean and how do I get past it?

    • If you read the article, you’d see what the roadblock is, and that there is no way around it.

  • Nick

    Nice article–informative and too the point. Thanks for the info!

  • We have got one of face book fan page reference for all my face book app SSL question and they had comprehensive solutions which will fit all the face app requirements. To know more about Facebook app SSL visit face book fan page ( or

  • We have got one of face book fan page reference for all my face book app
    SSL question and they had comprehensive solutions which will fit all
    the face app requirements. To know more about face app SSL visit face
    book fan page or theSSLstore