Take a look at this blog post that should provide some guidance.
https://developers.facebook.com/blog/post/431/

Currently, we pass iframe applications the fb_sig_user query string parameter in the URL. This allows the application to identify the user and create customized, social experience. Due to the way browsers work, this information in the URL can be inadvertently passed in the HTTP Referrer header when someone clicks a link within the iframe.

Our initial proposal to address this issue used encryption as a means to protect against this inadvertent sharing, but still passed this encrypted UID in the URL. After talking with the community, we have updated our proposed solution to use a different mechanism that provides better protection for users while minimizing the impact on existing applications and eliminates the need to use encryption libraries.

In short, this new proposal embeds the UID in a HTTP POST body ensuring that it will not be exposed in any HTTP Referrer header whatsoever (encrypted or otherwise). We do this by creating a <form/> element targeted at the application Canvas URL:

 <form target="canvas_iframe" action="http://example.com/" id="canvas_form">
     <input name="fb_sig_user" value="1234" type="hidden" />
 </form>
 <iframe name="canvas_iframe"></iframe>
 <script>
     document.getElementById("canvas_form").submit()
 </script>