This document applies to iframe canvas applications only and does NOT apply to FBML fb:iframe tags. To use POST in iframes, please enable the migration POST for Canvas (Beta) in your application settings.
When you have an iframe canvas app with URL http://example.com/, the HTML that is generated is something like:
<iframe src="http://example.com/?...&fb_sig_user=218471..."></iframe>
This way, your endpoint knows enough information about the user to render the app for them. Sadly, all those parameters go in the URL and if you app includes any other external resources (iframes, imgs, scripts, etc.) that sensitive data gets passed along to them in the HTTP Referer header.
Instead of putting all the data in the URL, we are going to put it in the body of an HTTP POST. Instead of:
<iframe src="http://example.com/?fb_sig_user=218471"></iframe>
we will now use:
<form target="canvas_iframe" action="http://example.com/" id="canvas_form">
<input name="fb_sig_user" value="218471" type="hidden" />
</form>
<iframe name="canvas_iframe"></iframe>
<script>
document.getElementById("canvas_form").submit()
</script>
Thankfully, this isn't a big change for most apps. You should start accepting HTTP POST for any endpoints that will be rendered as an iframe on Facebook. You don't necessarily have to support HTTP GET after you migrate your app, but it will make your life easier if you support them as well (for testing and developing).
Use $_REQUEST instead of $_GET
Use HttpRequest.REQUEST instead of HttpRequest.GET. An example middleware for signed_request.
Still use request.params, just make sure you support request.post?.
error_page 405 =200 $uri; in your nginx.conf
Post in the comments and I'll add them.
November 23th: Migration is created.
December 10th: If no problems are encountered, the migration will lose its (Beta) tag, and will be default on for newly created apps.
March 12th: The migration is complete and ALL iframes will be using POST.