Weird url appended "#_=_"

facebook facebook-php-sdk facebook-oauth
22,940

See This: https://developers.facebook.com/blog/post/552/

Change in Session Redirect Behavior

This week, we started adding a fragment #_=_ to the redirect_uri when this field is left blank. Please ensure that your app can handle this behavior.

Share:
22,940
bool.dev
Author by

bool.dev

Currently I use Flask, Python, Javascript for developing web applications. Used to work on Yii and PHP. Code and design systems for a living.

Updated on October 04, 2020

Comments

  • bool.dev
    bool.dev over 3 years

    Possible Duplicate:
    Play Framework appending #= to redirect after Facebook auth via OAuth2?

    Has anyone else seen this happen?

    I am building a Facebook canvas app using the Facebook PHP SDK, and some Javascript.
    Now when I take the user through the OAuth authentication flow, I have noticed that the URL in the browser automatically gets appended with this "#_=_" , so my URL starts looking like this:

    http://apps.facebook.com/xxxxxxxxxxxx/#_=_

    and when I redirect to the app profile page the URL is this:

    http://www.facebook.com/apps/application.php?id=xxxxxxxxxxxx#_=_

    I am redirecting using

    echo "<script type='text/javascript'>top.location.href='$appcanvasurl';</script>"

    to the canvas URL, and

    echo "<script type='text/javascript'>top.location.href='$appprofurl';</script>"

    for app profile page.

    So why is this #_=_ getting appended?

    Update:

    According to this bug on the tracker, this is by design, and giving a value for the redirect_uri does not change this.

    And according to the official facebook reply on that page (have to be logged in to Facebook to view the post):

    This has been marked as 'by design' because it prevents a potential security vulnerability.

    Some browsers will append the hash fragment from a URL to the end of a new URL to which they have been redirected (if that new URL does not itself have a hash fragment).

    For example if example1.com returns a redirect to example2.com, then a browser going to example1.com#abc will go to example2.com#abc, and the hash fragment content from example1.com would be accessible to a script on example2.com.

    Since it is possible to have one auth flow redirect to another, it would be possible to have sensitive auth data from one app accessible to another.

    This is mitigated by appending a new hash fragment to the redirect URL to prevent this browser behavior.

    If the aesthetics, or client-side behavior, of the resulting URL are of concern, it would be possible to use window.location.hash (or even a server-side redirect of your own) to remove the offending characters.

  • bool.dev
    bool.dev over 12 years
    awesome, thanks, have to keep reading the blog, and not just code :)
  • Antony D'Andrea
    Antony D'Andrea over 8 years
    When what field is left blank? I am getting this and nothing else. What is the answer?
  • Edmund Rojas
    Edmund Rojas over 8 years
    @AntonyD'Andrea were you able to find the answer to the blank field causing this problem?
  • Antony D'Andrea
    Antony D'Andrea over 8 years
    @EdmundRojas The only way I could avoid this bug was to send the type as 'token' instead of 'code' (even though the documentation says it can be one or the other) and then I get a token in the fragment. This is annoying as a code would have been in a parameter. But at least I have a token to do something with rather than nothing.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Facebook produces "An error occurred. Please try later" when handling oauth request
OAuthException : An active access token must be used to query information about the current user
Facebook Error #100 : A link must be provided if a picture URL is given
Codeigniter, Facebook javascript SDK, PHP SDK Redirect after facebook login doesn't getUser() until refresh
Facebook PHP-SDK getUser() always returns 0
How do I can post a multiple photos via Facebook API
Can't fetch data from Facebook SDK
How to use access token with PHP SDK and retrieve user_activities parameter using fql?
Post to a Facebook user's wall from a page or app
Error validating access token: Session has expired at unix time