Weird url appended “#_=_” [duplicate]

Question

This question already has answers here:

Play Framework appending #_=_ to redirect after Facebook auth via OAuth2? (2 answers)

Possible Duplicate:
Play Framework appending #= to redirect after Facebook auth via OAuth2?

Has anyone else seen this happen?

I am building a Facebook canvas app using the Facebook PHP SDK, and some Javascript.
Now when I take the user through the OAuth authentication flow, I have noticed that the URL in the browser automatically gets appended with this "#_=_" , so my URL starts looking like this:

http://apps.facebook.com/xxxxxxxxxxxx/#_=_

and when I redirect to the app profile page the URL is this:

http://www.facebook.com/apps/application.php?id=xxxxxxxxxxxx#_=_

I am redirecting using

echo "<script type='text/javascript'>top.location.href='$appcanvasurl';</script>"

to the canvas URL, and

echo "<script type='text/javascript'>top.location.href='$appprofurl';</script>"

for app profile page.

So why is this #_=_ getting appended?

Update:

According to this bug on the tracker, this is by design, and giving a value for the redirect_uri does not change this.

And according to the official facebook reply on that page (have to be logged in to Facebook to view the post):

This has been marked as 'by design' because it prevents a potential security vulnerability.

Some browsers will append the hash fragment from a URL to the end of a new URL to which they have been redirected (if that new URL does not itself have a hash fragment).

For example if example1.com returns a redirect to example2.com, then a browser going to example1.com#abc will go to example2.com#abc, and the hash fragment content from example1.com would be accessible to a script on example2.com.

Since it is possible to have one auth flow redirect to another, it would be possible to have sensitive auth data from one app accessible to another.

This is mitigated by appending a new hash fragment to the redirect URL to prevent this browser behavior.

If the aesthetics, or client-side behavior, of the resulting URL are of concern, it would be possible to use window.location.hash (or even a server-side redirect of your own) to remove the offending characters.

Answer 1

See This: https://developers.facebook.com/blog/post/552/

Change in Session Redirect Behavior

This week, we started adding a fragment #_=_ to the redirect_uri when this field is left blank. Please ensure that your app can handle this behavior.