Monthly Archives: October 2007

FBJS: Facebook JavaScript

October 3, 2007 By in Facebook API Leave a comment

Coffee
The best place to start learning about using JavaScript within Facebook apps is the developer wiki. It can be a bit disorienting at first, because they’ve constructed a very effective security sandbox. The only calls you can make are those they explicitly provide, so many common calls like alert() are not available.

There’s no list of all the legal function calls you can make, though the wiki does cover the DOM element calls. I’ve put in a request to the Facebook team to document the whitelist they use to parse scripts, but for now you need to use trial and error to find out which are filtered out. Some are obvious, anything that would let you add arbitrary unchecked content to the page, like document.write or eval(), are never going to be supported.

I had to write a script blocker for SearchMash, so I know how tough it can be. I’m very impressed with the job they do, managing to identify variables within JS and put them in a private namespace by adding a prefix is very clever. I do wonder if anyone’s gone through the full Cross-Site Scripting Cheatsheet though, since there are some funky methods of concealing scripts within html, and even after a few weeks of work I wasn’t able to exclude all of them. I had to deal with arbitrary external pages, so maybe Facebook can avoid those issues by refusing to parse anything that looks even slightly odd, since most of the exploits rely on ill-formed markup that still works in many browsers.

One of the interesting restrictions they have is that scripts in profile boxes will only be run as the result of a user action. This is a nice balance between allowing the app to do interactive things on the profile, but keeping the app from annoying the user when they’re not interested in it.

I’ve already done a big post on Facebook’s MockAjax, but a lot of the same points apply to general FBJS development. You’ll want to get FireBug to help you debug, and expect to spend a lot of time looking at the actual source of the pages Facebook is giving you. Luckily, if you’re the developer they include the FBML before it was processed by their parser, in comments towards the top of the page. This can be a real life-saver when you’re trying to work out what went wrong.

Funhouse Photo User Count: 1124 total, 104 active. Another day of steady growth. I’m going to see if I can chart the statistics I’ve been gathering here, but I’m pretty sure it’s been almost linear since I launched.

Event Connector User Count: 9 total. Still need to research what they mean by ‘secret’ events, and how to exclude them, and then I can do another directory submission.

Back from Santa Cruz

October 2, 2007 By in Personal Leave a comment

Smugglersbeach

Liz and I returned from our trip to Santa Cruz Island last night. We had a wonderful time, camping under the eucalyptus with Richard, Kelly, Eric and Jennifer.

We had a chance to explore a few undeveloped and unmarked trails on the island too, with one thirteen mile hike that left us both pretty shattered. There isn’t much information about hiking the island available, so I’ll be trying to put up some notes with Google maps over this week.

Funhouse Photo User Count: 1,090 total, 109 active. It was good to see the steady growth continuing, especially since I’ve been focused on my day job and other projects, and haven’t done much to help it recently.
Event Connector User Count: 9 total. I’m currently wrestling with Facebook’s directory submission process. It was initially rejected as not showing any content, which I assumed was because the reviewer wasn’t invited to any events, so I just resubmitted it unchanged. It’s now been rejected for violating the ToS because it "stores user data beyond the context user session or specified timeout". This is very odd, because I’m actually not storing any data at all on my server, it’s all generated live through the Facebook API!
I’ll be adding a privacy policy note in the hope of clarifying this. There does need to be a two-way channel of communication between developers and the reviewers, at least somewhere I could add a note clarifying what I’m doing.