Login/Register
Weird url appended "#_=_" [duplicate]
Asked Answered
Solved facebookfacebook-php-sdkfacebook-oauth
C

1

34

Possible Duplicate:
Play Framework appending #= to redirect after Facebook auth via OAuth2?

Has anyone else seen this happen?

I am building a Facebook canvas app using the Facebook PHP SDK, and some Javascript.
Now when I take the user through the OAuth authentication flow, I have noticed that the URL in the browser automatically gets appended with this "#_=_" , so my URL starts looking like this:

http://apps.facebook.com/xxxxxxxxxxxx/#_=_

and when I redirect to the app profile page the URL is this:

http://www.facebook.com/apps/application.php?id=xxxxxxxxxxxx#_=_

I am redirecting using

echo "<script type='text/javascript'>top.location.href='$appcanvasurl';</script>"

to the canvas URL, and

echo "<script type='text/javascript'>top.location.href='$appprofurl';</script>"

for app profile page.

So why is this #_=_ getting appended?

Update:

According to this bug on the tracker, this is by design, and giving a value for the redirect_uri does not change this.

And according to the official facebook reply on that page (have to be logged in to Facebook to view the post):

This has been marked as 'by design' because it prevents a potential security vulnerability.

Some browsers will append the hash fragment from a URL to the end of a new URL to which they have been redirected (if that new URL does not itself have a hash fragment).

For example if example1.com returns a redirect to example2.com, then a browser going to example1.com#abc will go to example2.com#abc, and the hash fragment content from example1.com would be accessible to a script on example2.com.

Since it is possible to have one auth flow redirect to another, it would be possible to have sensitive auth data from one app accessible to another.

This is mitigated by appending a new hash fragment to the redirect URL to prevent this browser behavior.

If the aesthetics, or client-side behavior, of the resulting URL are of concern, it would be possible to use window.location.hash (or even a server-side redirect of your own) to remove the offending characters.

Cesar answered 20/9, 2011 at 12:25 Comment(3)
i have noticed that the #_=_ is still getting appended even when redirect_uri has been specified. There is a workaround though, using javascript at this : https://mcmap.net/q/73804/-facebook-callback-appends-39-_-_-39-to-return-url/720508 and here : facebook.#7339353Cesar
Add the following to your head tag to resolve this issue: <script type="text/javascript">if (window.location.hash == '#_=_')window.location.hash = '';</script>Branum
@SafranAli that doesn't solve it, please excuse me for this late follow up. window.location.hash is anyway empty, only parent or top location has this hash i guess. window here refers to the iframe that the app is running in, the hash of the parent frame is #_=_ i think. share your thoughts please.Cesar
D
17

See This: https://developers.facebook.com/blog/post/552/

Change in Session Redirect Behavior

This week, we started adding a fragment #_=_ to the redirect_uri when this field is left blank. Please ensure that your app can handle this behavior.

Dissatisfied answered 20/9, 2011 at 12:45 Comment(4)
awesome, thanks, have to keep reading the blog, and not just code :)Cesar
When what field is left blank? I am getting this and nothing else. What is the answer?Everybody
@AntonyD'Andrea were you able to find the answer to the blank field causing this problem?Rockoon
@EdmundRojas The only way I could avoid this bug was to send the type as 'token' instead of 'code' (even though the documentation says it can be one or the other) and then I get a token in the fragment. This is annoying as a code would have been in a parameter. But at least I have a token to do something with rather than nothing.Everybody

© 2022 - 2024 — McMap. All rights reserved.