Facebook Markup Language (FBML)


Inserts an <iframe> tag into an application canvas page; you cannot use the tag on the profile page (that is, application tabs and profile boxes). You cannot use FBML inside an iframe; use XFBML tags instead.

The conventional <iframe> tag has been re-created in FBML and became <fb:iframe>. You edit the attributes for <fb:iframe> the same way you would for HTML tags.

If you aren't requiring a session secret to be passed, you must use your server's URL as the src for your iframe. Otherwise, apps.facebook.com wraps your page with the Facebook layout.



The URL of the iframe. Signed GET parameters are appended to the URL to prove that the frame was loaded through Facebook, as described in the forms section. These parameters also include one named fb_sig_in_iframe to indicate this context.


This parameter smartly sizes the iframe to fit the remaining space on the page and disables the outer scrollbars. If you include more than one smartsizing iframe, they automatically distribute the size appropriately. Default value is false


Indicates whether to show (1) or hide (0) an iframe border. Default value is 1


Indicates whether to show scrollbars. Default value is yes - use "yes", "no", or "auto" (not "true" or "false")


Indicates a custom inline style for the iframe.


Indicates the width of the iframe.


Indicates the height of the iframe.


Gives the ability to set the iframe's size using the JavaScript API. See Resizable IFrame for details. You must specify a name for this iframe. This option cannot be used when smartsize is enabled.


The name of the iframe. You must name the iframe when resizable is enabled.


As of 9 February, 2009, this parameter is deprecated. See the announcement in the Notes below.
Setting this to true requires that the session secret (fb_sig_ss) be passed, in addition to the usual fb_sig parameters, when available. You might want to require this when the iframe source is outside of the application callback URL. By default this attribute is false to prevent unintentionally sending application and user data to a third party, which can use the session secret to make API calls on behalf of the application or user. You should use this attribute only to send the session secret to an application-owned URL that needs to make API calls, as the iframe source may not necessarily fall under its callback URL. Default value is false


Setting this to false indicates that credential information is not sent to the site in the iframe. This prevents external sites from stealing private information.Default value is true