The Profile Box is Sandboxed

Even though the profile box is the representation of a Facebook app that you will see the most, it is actually a pretty isolated chunk of FBML. This is very intentional, for all sorts of security and performance reasons.

  • You can’t put an iframe in a profile box.
  • Any images are cached through Facebook.
  • The profile box content is set from your server, so when it is viewed that content is spit out. Your server isn’t queried when someone views their profile containing your app’s profile box.
  • When someone views a profile page, no external queries can be made.
  • Nothing can ‘happen’ when someone merely views a profile page. They need to view a canvas page, push or button or something for the application to have a stimulus for a response.

This limits what information Facebook applications can gather about usage, but it’s actually a really good thing.


2 Responses to “The Profile Box is Sandboxed”

  1. Nepharius Says:

    So how does those other profile boxes when you click on them load content? Is there a iframe type thing going on or should I be coding in FBML? I have a reverbnation My Band app as a box and when I click on that box it shows all my music, images that I have uploaded and a bunch of other stuff without going to the canvas page.


    • kelek1 Says:

      The profile box (which is now out of fashion and relegated to the ‘Boxes’ tab) itself can be updated continuously by the Facebook application. When you click on something in the box, it can take you to a canvas or iframe page.

      Application tabs are canvases that start in ‘passive’ mode. Flash is paused and there’s no onload javascript, but a user interacts with the page it becomes active.

