Weird url appended “#_=_” [duplicate]

巧了我就是萌 提交于 2019-12-03 10:31:53

问题


Possible Duplicate:
Play Framework appending #= to redirect after Facebook auth via OAuth2?

Has anyone else seen this happen?

I am building a Facebook canvas app using the Facebook PHP SDK, and some Javascript.
Now when I take the user through the OAuth authentication flow, I have noticed that the URL in the browser automatically gets appended with this "#_=_" , so my URL starts looking like this:

http://apps.facebook.com/xxxxxxxxxxxx/#_=_

and when I redirect to the app profile page the URL is this:

http://www.facebook.com/apps/application.php?id=xxxxxxxxxxxx#_=_

I am redirecting using

echo "<script type='text/javascript'>top.location.href='$appcanvasurl';</script>"

to the canvas URL, and

echo "<script type='text/javascript'>top.location.href='$appprofurl';</script>"

for app profile page.

So why is this #_=_ getting appended?

Update:

According to this bug on the tracker, this is by design, and giving a value for the redirect_uri does not change this.

And according to the official facebook reply on that page (have to be logged in to Facebook to view the post):

This has been marked as 'by design' because it prevents a potential security vulnerability.

Some browsers will append the hash fragment from a URL to the end of a new URL to which they have been redirected (if that new URL does not itself have a hash fragment).

For example if example1.com returns a redirect to example2.com, then a browser going to example1.com#abc will go to example2.com#abc, and the hash fragment content from example1.com would be accessible to a script on example2.com.

Since it is possible to have one auth flow redirect to another, it would be possible to have sensitive auth data from one app accessible to another.

This is mitigated by appending a new hash fragment to the redirect URL to prevent this browser behavior.

If the aesthetics, or client-side behavior, of the resulting URL are of concern, it would be possible to use window.location.hash (or even a server-side redirect of your own) to remove the offending characters.


回答1:


See This: https://developers.facebook.com/blog/post/552/

Change in Session Redirect Behavior

This week, we started adding a fragment #_=_ to the redirect_uri when this field is left blank. Please ensure that your app can handle this behavior.



来源:https://stackoverflow.com/questions/7485111/weird-url-appended

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!