Facebook最近在处理会话重定向的方式上做出了改变。有关公告，请参阅本周Operation Developer Love博客文章中的“会话重定向行为的更改”。

Facebook最近在处理会话重定向的方式上做出了改变。有关公告，请参阅本周Operation Developer Love博客文章中的“会话重定向行为的更改”。

删除“#_=_”(PHP)的最简单和干净的解决方案:

用“echo(”Location .php)代替“header("Location: xxx.php");"Href = 'xxx.php';");"

通过Facebook平台更新:

更改会话重定向行为 本周，我们开始在redirect_uri中添加一个片段#____=____ 该字段为空。请确保您的应用程序可以处理这个问题 的行为。

为了防止这种情况，在你的登录url请求中设置redirect_uri(使用Facebook php-sdk)

$facebook->getLoginUrl(array('redirect_uri' => $_SERVER['SCRIPT_URI'],'scope' => 'user_about_me'));

更新

上述内容正是文档中所述的修复此问题的方法。然而，Facebook记录的解决方案并不奏效。请考虑在Facebook平台更新博客上留下评论，并关注这个错误以获得更好的答案。在此之前，将以下内容添加到head标签以解决此问题:

<script type="text/javascript">
    if (window.location.hash && window.location.hash == '#_=_') {
        window.location.hash = '';
    }
</script>

或者一个更详细的选择(感谢niftylettuce):

<script type="text/javascript">
    if (window.location.hash && window.location.hash == '#_=_') {
        if (window.history && history.pushState) {
            window.history.pushState("", document.title, window.location.pathname);
        } else {
            // Prevent scrolling by storing the page's current scroll offset
            var scroll = {
                top: document.body.scrollTop,
                left: document.body.scrollLeft
            };
            window.location.hash = '';
            // Restore the scroll offset, should be flicker free
            document.body.scrollTop = scroll.top;
            document.body.scrollLeft = scroll.left;
        }
    }
</script>

使用Angular 2 (RC5)和基于哈希的路由，我这样做:

const appRoutes: Routes = [
  ...
  {path: '_', redirectTo: '/facebookLoginSuccess'},
  ...
]

and

export const routing = RouterModule.forRoot(appRoutes, { useHash: true });

据我所知，路由中的=字符被解释为可选路由参数定义的一部分(见https://angular.io/docs/ts/latest/guide/router.html#!#optional-route-parameters)，因此不涉及路由匹配。

这是Facebook出于安全考虑而设计的。下面是Facebook团队成员埃里克·奥斯古德的解释:

This has been marked as 'by design' because it prevents a potential security vulnerability. Some browsers will append the hash fragment from a URL to the end of a new URL to which they have been redirected (if that new URL does not itself have a hash fragment). For example if example1.com returns a redirect to example2.com, then a browser going to example1.com#abc will go to example2.com#abc, and the hash fragment content from example1.com would be accessible to a script on example2.com. Since it is possible to have one auth flow redirect to another, it would be possible to have sensitive auth data from one app accessible to another. This is mitigated by appending a new hash fragment to the redirect URL to prevent this browser behavior. If the aesthetics, or client-side behavior, of the resulting URL are of concern, it would be possible to use window.location.hash (or even a server-side redirect of your own) to remove the offending characters.

来源:https://developers.facebook.com/bugs/318390728250352/