Facebook development: choosing FBML or iframe as your application type
http://apps.new.facebook.com/facebooker_tutorial/
1. Set up New application
http://www.facebook.com/developers/
2. remember your api key and serect key
3. Canvas/畫布 setting
api key, serect key
they let our application verify that requests are coming from Facebook.
Facebook sends us the ID of the current user and their whole list of friends on
every request. That makes our life quite a bit easier. It also can cause
some security problems.
All requests come from Facebook. To make sure this is the case, we can
verify the signature that is sent by Facebook on every request. A digital
signature is a way to use cryptography to verify that something actually
came from the person who it appears to be from.4 Facebook sends a
number of parameters that start with fb_sig. All these parameters are
used in the signature validation.
When Facebook sends our applications a request, it builds a string
that includes all the fb_sig parameters in alphabetical order. It then
adds our secret key to the end of that string and calculates the MD5 sum.
When Facebooker receives a request, it goes through the
same steps to recalculate the signature. If the value that Facebooker
calculates matches the one in our request, it proves that the request
came from somebody who knows our secret key.
Rails included a feature to stop cross-site forgery
attacks. Unfortunately, this feature doesn’t play well with Facebook.
We’ll need to disable it by editing environment.rb and setting allow_forgery_
protection to false,
沒有留言:
張貼留言