Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Weird url appended "#_=_" [duplicate]

Tags:

facebook

facebook-php-sdk

facebook-oauth

Possible Duplicate:
Play Framework appending #= to redirect after Facebook auth via OAuth2?

Has anyone else seen this happen?

I am building a Facebook canvas app using the Facebook PHP SDK, and some Javascript.
Now when I take the user through the OAuth authentication flow, I have noticed that the URL in the browser automatically gets appended with this "#_=_" , so my URL starts looking like this:

http://apps.facebook.com/xxxxxxxxxxxx/#_=_

and when I redirect to the app profile page the URL is this:

http://www.facebook.com/apps/application.php?id=xxxxxxxxxxxx#_=_

I am redirecting using

echo "<script type='text/javascript'>top.location.href='$appcanvasurl';</script>"

to the canvas URL, and

echo "<script type='text/javascript'>top.location.href='$appprofurl';</script>"

for app profile page.

So why is this #_=_ getting appended?

Update:

According to this bug on the tracker, this is by design, and giving a value for the redirect_uri does not change this.

And according to the official facebook reply on that page (have to be logged in to Facebook to view the post):

This has been marked as 'by design' because it prevents a potential security vulnerability.

Some browsers will append the hash fragment from a URL to the end of a new URL to which they have been redirected (if that new URL does not itself have a hash fragment).

For example if example1.com returns a redirect to example2.com, then a browser going to example1.com#abc will go to example2.com#abc, and the hash fragment content from example1.com would be accessible to a script on example2.com.

Since it is possible to have one auth flow redirect to another, it would be possible to have sensitive auth data from one app accessible to another.

This is mitigated by appending a new hash fragment to the redirect URL to prevent this browser behavior.

If the aesthetics, or client-side behavior, of the resulting URL are of concern, it would be possible to use window.location.hash (or even a server-side redirect of your own) to remove the offending characters.

like image 680
bool.dev Avatar asked Sep 20 '11 12:09

bool.dev

1 Answers

See This: https://developers.facebook.com/blog/post/552/

Change in Session Redirect Behavior

This week, we started adding a fragment #_=_ to the redirect_uri when this field is left blank. Please ensure that your app can handle this behavior.

like image 112
mjs Avatar answered Oct 05 '22 16:10

mjs
Sign in to Comment

Related questions

How to workaround 'FB is not defined'?
Google Play App Signing - KeyHash Mismatch
Flutter - how to connect to Facebook's SDK app event using a codeless setup
Facebook conversion event callback
Identifying Facebook Messenger user with UserID from a Facebook Login
How do I write Facebook apps using Django?
How to get rid of OpenSSL::SSL::SSLError
Facebook Open Graph API Examples - How to get the access token?
How can I query public facebook events by location/city?
Handling openURL: with Facebook and Google
Facebook Graph API - How do you retrieve the different size photos from an album?
Is there any way to get key hash from signed APK?
"Failed to load resource" using Facebook's example code
Logout from Facebook programmatically iOS
Uncaught ReferenceError: FB is not defined when using FB.getLoginStatus
how to get email id of Facebook user using javascript sdk
Facebook + UserBundle authentication with symfony2
Can you use Facebook "Test Users" to test a Messenger Bot?
HTML: What is `xmlns:fb="http://www.facebook.com/2008/fbml"`?
Side navigation menu like Facebook app

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!