HTTPS protocol then you can take advantage of this feature. If you don't have a SSL Certificate then you cannot. This is understandable because, in theory, it limits abuse as it requires the initial investment of purchasing HTTPS.
This is where iframehost.com comes into play, and they are but an example. This third-party entity holds such a certificate and they are allowing any old sod to use their services as a proxy for this purpose. That any old sod need not make an initial monetary investment, there is no risk on their part. All one need do is register a link between iframehost and their Facebook page so that they can use a custom iFrame on it. As a result, the entire purpose of enforcing a certificate in the first place has thus been negated.
Given that an iFrame is not permitted to interact with the rest of the page if the two are of differing domains, Facebook has absolutely no way of validating the content of that frame. This means that there would be untrusted code on its page and that, from a web developer's perspective, is completely against the principles of content integrity.
I cannot begin to understand why Facebook even allow this feature in the first place, regardless of certification. As a good friend once said; My brain stops at "What the heck?".
Successful blocking of iframehost.com via the hosts file on a live page, preventing a redirect...
Edited by Mere_Mortal, 03 February 2012 - 04:17 PM.