BugsFacebook always appends #_=_ to the redirect_uri in the server side authentication flow
- Status: By Design
- Priority: None
- Updated: February 7, 2012 at 2:06pm
Latest response from Facebook
Eric Osgood
This has been marked as 'by design' because it prevents a potential security vulnerability.
Some browsers will append the hash fragment from a URL to the end of a new URL to which they have been redirected (if that new URL does not itself have a hash fragment).
For example if example1.com returns a redirect to example2.com, then a browser going to example1.com#abc will go to example2.com#abc, and the hash fragment content from example1.com would be accessible to a script on example2.com.
Since it is possible to have one auth flow redirect to another, it would be possible to have sensitive auth data from one app accessible to another.
This is mitigated by appending a new hash fragment to the redirect URL to prevent this browser behavior.
If the aesthetics, or client-side behavior, of the resulting URL are of concern, it would be possible to use window.location.hash (or even a server-side redirect of your own) to remove the offending characters.
Some browsers will append the hash fragment from a URL to the end of a new URL to which they have been redirected (if that new URL does not itself have a hash fragment).
For example if example1.com returns a redirect to example2.com, then a browser going to example1.com#abc will go to example2.com#abc, and the hash fragment content from example1.com would be accessible to a script on example2.com.
Since it is possible to have one auth flow redirect to another, it would be possible to have sensitive auth data from one app accessible to another.
This is mitigated by appending a new hash fragment to the redirect URL to prevent this browser behavior.
If the aesthetics, or client-side behavior, of the resulting URL are of concern, it would be possible to use window.location.hash (or even a server-side redirect of your own) to remove the offending characters.
https://developers.facebook.com/blog/post/552/
That post documents the change. I can't figure out how to avoid having that URL appended, so for now, my app will have to remove the hash on the user side.
That post documents the change. I can't figure out how to avoid having that URL appended, so for now, my app will have to remove the hash on the user side.
| Steps to Reproduce: | Request an access token by using this url: "https://www.facebook.com/dialog/oauth?client_id" + facebook.appid + "&redirect_uri=" + facebook.redirect + "&scope=offline_access" When you get redirected, the access code will always include #_=_ at the end. |
|---|---|
| Expected Behavior: | According to the blog post, since the redirect_uri paramater is set, I'd expect not to have the hash appended on my url. |
| Actual Behavior: | I get a hash appended on my url. |
90 people can reproduce this issue by following these steps
Repro