Facebook回调已经开始追加#_=_哈希下划线返回URL
有人知道为什么吗?解决方案是什么?
当前回答
这是Facebook出于安全考虑而设计的。下面是Facebook团队成员埃里克·奥斯古德的解释:
This has been marked as 'by design' because it prevents a potential security vulnerability. Some browsers will append the hash fragment from a URL to the end of a new URL to which they have been redirected (if that new URL does not itself have a hash fragment). For example if example1.com returns a redirect to example2.com, then a browser going to example1.com#abc will go to example2.com#abc, and the hash fragment content from example1.com would be accessible to a script on example2.com. Since it is possible to have one auth flow redirect to another, it would be possible to have sensitive auth data from one app accessible to another. This is mitigated by appending a new hash fragment to the redirect URL to prevent this browser behavior. If the aesthetics, or client-side behavior, of the resulting URL are of concern, it would be possible to use window.location.hash (or even a server-side redirect of your own) to remove the offending characters.
来源:https://developers.facebook.com/bugs/318390728250352/
其他回答
不知道他们为什么这样做,但是,你可以通过重置页面顶部的哈希来解决这个问题:
if (window.location.hash == "#_=_")
window.location.hash = "";
这是Facebook出于安全考虑而设计的。下面是Facebook团队成员埃里克·奥斯古德的解释:
This has been marked as 'by design' because it prevents a potential security vulnerability. Some browsers will append the hash fragment from a URL to the end of a new URL to which they have been redirected (if that new URL does not itself have a hash fragment). For example if example1.com returns a redirect to example2.com, then a browser going to example1.com#abc will go to example2.com#abc, and the hash fragment content from example1.com would be accessible to a script on example2.com. Since it is possible to have one auth flow redirect to another, it would be possible to have sensitive auth data from one app accessible to another. This is mitigated by appending a new hash fragment to the redirect URL to prevent this browser behavior. If the aesthetics, or client-side behavior, of the resulting URL are of concern, it would be possible to use window.location.hash (or even a server-side redirect of your own) to remove the offending characters.
来源:https://developers.facebook.com/bugs/318390728250352/
我使用这个,删除'#'符号。
<script type="text/javascript">
if (window.location.hash && window.location.hash == '#_=_') {
window.location.href = window.location.href.split('#_=_')[0];
}
</script>
我看不出这个问题与facebook AJAX有什么关系。事实上,禁用JavaScript和完全基于重定向的登录也会出现这个问题。
一个与facebook交换的例子:
1. GET <https://www.facebook.com/dialog/oauth?client_id=MY_APP_ID&scope=email&redirect_uri=MY_REDIRECT_URL> RESPONSE 302 Found Location: <https://www.facebook.com/connect/uiserver.php?[...]>
2. GET <https://www.facebook.com/connect/uiserver.php?[...]> RESPONSE 302 Found MY_REDIRECT_URL?code=FB_CODE#_
3. GET MY_REDIRECT_URL?code=FB_CODE#_
我也只在火狐浏览器上遇到过这种情况。
适用于PHP SDK用户
我只是通过在转发之前删除额外的部分来解决这个问题。
$loginURL = $helper->getLoginUrl($redirectURL, $fbPermissions);
$loginURL = str_replace("#_=_", "", $loginURL);
header("Location: " . $loginURL);
推荐文章
- 如何测试Facebook本地连接
- 如何在iOS中使用Swift编程segue
- Ajax会调用什么样的响应,比如'for (;;);{json data}的意思?
- React-Native:应用程序未注册错误
- Facebook:永久页面访问令牌?
- 调用线程必须是STA,因为许多UI组件都要求这一点
- 使用什么api来绘制其他应用程序(如Facebook的Chat Heads)?
- Android Facebook集成无效键散列
- 如何创建Android Facebook密钥哈希?
- Android-Facebook应用程序的键散列
- 如何找到并运行keytool
- Facebook API -如何通过Facebook API获得Facebook用户的个人资料图像(不需要用户“允许”应用程序)
- 如何从事件对象访问自定义属性在反应?
- Android Facebook风格幻灯片
- Facebook OAuth“这个URL的域名不包括在应用程序的域名中”
