On December 8, 2011, our diff detection scripts picked up this change:
1 | /*1323218538,169893481,JIT | |
1 | /*1323305592,169920374,JIT | |
2 | 2 | |
3 | 3 | if (!window.FB) window.FB = { |
4 | 4 | _apiKey: null, |
… | ||
5361 | 5361 | [10, 3, 181, 34], |
5362 | 5362 | [11, 0, 0] |
5363 | 5363 | ], |
5364 | "_swfPath": "rsrc.php\/ | |
5364 | "_swfPath": "rsrc.php\/ | |
5365 | 5365 | }, true); |
5366 | 5366 | FB.provide("XD", { |
5367 | 5367 | "_xdProxyUrl": "connect\/ |
I've decompiled the SWF file and ActionScript files from http://static.ak.fbcdn.net/rsrc.php\/v1\/yD\/r\/GL74y29Am1r.swf and reviewed the diffs between the previously decompiled SWF with this one. If you were to compare the diff changes for the XdComm.as file, you would see:
15a16,17
> private static var initialized:Boolean = false;
> private static var origin_validated:Boolean = false;
20,21c22,29
< Security.allowDomain("*"); < Security.allowInsecureDomain("*"); --- > if (XdComm.initialized)
> {
> return;
> }
> XdComm.initialized = true;
> var _loc_1:* = PostMessage.getCurrentDomain();
> Security.allowDomain(_loc_1);
> Security.allowInsecureDomain(_loc_1);
51a60
> ExternalInterface.addCallback("postMessage_init", this.initPostMessage);
60a70,76
> private function initPostMessage(param1:String, param2:String) : void
> {
> origin_validated = true;
> this.postMessage.init(param1, param2);
> return;
> }// end function
>
164a181,189
> public static function proxy(param1:String, param2:String) : void
> {
> if (origin_validated)
> {
> ExternalInterface.call(param1, param2);
> }
> return;
> }// end function
>
The changes indicate that Facebook has tightened the cross-domain security policies. Instead of using wildcard domains to accept messages in its allowDomain() function, it now invokes a call to getCurrentDomain(), which is a function defined in the PostMessage.as file used to execute a call to document.domain, relying more on the browser to define the security restrictions.
Most of these change should not affect your users...just wished Facebook would discuss more what's going on behind the scenes since your apps may very well be using the Facebook Connect Library without realizing these changes are happening beneath you!
I've started to post the decompiled SWF files here:
https://github.com/rogerhu/connect-js/tree/master/swf
Note that these updates are only manually. If someone knows of an open-source SWF decompiler, then the diffs could be much more automated!