On December 8, 2011, our diff detection scripts picked up this change:
This SWF file is Facebook's cross-domain handler for web browsers that don't implement HTML5 but can use a Flash-based version of HTML5's postMessage() function that allows messages to be passed between different domains. Facebook doesn't often recompile the SWF file, so this diff caught my attention. The most reliable decompiler I've found is Sothink's SWF decompiler, which can be used to export the ActionScript files with a 30-day trial (for more context about how to decompile, see http://hustoknow.blogspot.com/2011/06/facebooks-flash-xdcomm-receiver.html).
I've decompiled the SWF file and ActionScript files from http://static.ak.fbcdn.net/rsrc.php\/v1\/yD\/r\/GL74y29Am1r.swf and reviewed the diffs between the previously decompiled SWF with this one. If you were to compare the diff changes for the XdComm.as file, you would see:
> private static var initialized:Boolean = false;
> private static var origin_validated:Boolean = false;
< Security.allowDomain("*"); < Security.allowInsecureDomain("*"); --- > if (XdComm.initialized)
> XdComm.initialized = true;
> var _loc_1:* = PostMessage.getCurrentDomain();
> ExternalInterface.addCallback("postMessage_init", this.initPostMessage);
> private function initPostMessage(param1:String, param2:String) : void
> origin_validated = true;
> this.postMessage.init(param1, param2);
> }// end function
> public static function proxy(param1:String, param2:String) : void
> if (origin_validated)
> ExternalInterface.call(param1, param2);
> }// end function
The changes indicate that Facebook has tightened the cross-domain security policies. Instead of using wildcard domains to accept messages in its allowDomain() function, it now invokes a call to getCurrentDomain(), which is a function defined in the PostMessage.as file used to execute a call to document.domain, relying more on the browser to define the security restrictions.
Most of these change should not affect your users...just wished Facebook would discuss more what's going on behind the scenes since your apps may very well be using the Facebook Connect Library without realizing these changes are happening beneath you!
I've started to post the decompiled SWF files here:
Note that these updates are only manually. If someone knows of an open-source SWF decompiler, then the diffs could be much more automated!