One of my clients currently has me working on a project involving the creation of a Facebook application. Since the project is small and needs to be completed ASAP, I chose a small light PHP framework for quick development which was CodeIngiter. Once I got my test application written I tested it on both the absolute URL and within Facebook. It worked fine by direct URL but when I attempted to load it on Facebook, it would give me the standard issue.
When I set up my application, I went through and turned on all the usual configurations I thought might be helpful for this project without thinking much about it. Turned out one of these configurations prevented the application from loading inside Facebook, just like it should. If you haven't figured it out yet, it is the CSRF protection. When CSRF protection is turned on, a token is required when submitting POST data to a URL, this token is a randomly generated and provides security so another website can't submit data to your page in an attempt to exploit a user.
Once this was disabled, the application rendered as expected within Facebook.
Because CSRF is important for web development to protect your users, would suggest implementing something similar to the method given on Facebook Authentication API page about half way down the page.