This was the case for our production user registration flow for a long time. The first hit displayed an image for one CAPTCHA, and the second hit surreptitiously invalidated it so that there was no possible way the user could solve the CAPTCHA. Thanks, guys.
It seems that Facebook's engineers found IE8 wouldn't do their bidding
unless the communication channel IFrame was hosted on the same domain
too. So what better way to ensure this than, uh, reload the current
IFrame. No site is going to care if they rack up double hits from a
large percentage of their user base, right? As they helpfully append
fb_xd_fragment as a query parameter, you can just make a special
case short-circuit in your routing based on that. Right? Right?
Why wouldn't Facebook document this? Oh, wait – they did... sort
of. It's listed as part of
Oh, but wait. Apparently the API has changed a little, and
xdChannelUrl should just be
channelUrl. They're close enough,
right? That's like, hardly worth mentioning. Or documenting.
Update 2010-11-26 09:05: It appears this is documented, or at least it is now. Peperone23 points out the FB.init documentation.
So now you do something like this:
channelUrl: window.location.protocol + '//example.com/xd_receiver.html'
And in xd_receiver.html, you do this:
Voilà! Facebook can use this static, lightweight, stateless page to achieve their ends instead of loading the current page a second time. Set some way-in-the-future cache headers on that sucker and call it good.