Facebook回调已经开始追加#_=_哈希下划线返回URL
有人知道为什么吗?解决方案是什么?
Facebook回调已经开始追加#_=_哈希下划线返回URL
有人知道为什么吗?解决方案是什么?
当前回答
你也可以在Facebook回调的redirect_uri参数上指定你自己的散列,这在某些情况下可能是有帮助的,例如/api/account/callback#home。当你被重定向回来,它至少是一个哈希,对应于一个已知的路由,如果你使用backbone.js或类似的(不确定jquery移动)。
其他回答
如果你使用的是带有hashbang (/#!/) url的JS框架,比如Angular,这可能会成为一个严重的问题。实际上,Angular会认为带有非hashbang片段的url是无效的,并抛出一个错误:
Error: Invalid url "http://example.com/#_=_", missing hash prefix "#!".
如果你在这种情况下(重定向到你的域根目录),不要这样做:
window.location.hash = ''; // goes to /#, which is no better
简单地做:
window.location.hash = '!'; // goes to /#!, which allows Angular to take care of the rest
这是Facebook出于安全考虑而设计的。下面是Facebook团队成员埃里克·奥斯古德的解释:
This has been marked as 'by design' because it prevents a potential security vulnerability. Some browsers will append the hash fragment from a URL to the end of a new URL to which they have been redirected (if that new URL does not itself have a hash fragment). For example if example1.com returns a redirect to example2.com, then a browser going to example1.com#abc will go to example2.com#abc, and the hash fragment content from example1.com would be accessible to a script on example2.com. Since it is possible to have one auth flow redirect to another, it would be possible to have sensitive auth data from one app accessible to another. This is mitigated by appending a new hash fragment to the redirect URL to prevent this browser behavior. If the aesthetics, or client-side behavior, of the resulting URL are of concern, it would be possible to use window.location.hash (or even a server-side redirect of your own) to remove the offending characters.
来源:https://developers.facebook.com/bugs/318390728250352/
将此添加到我的重定向页面解决了我的问题…
if (window.location.href.indexOf('#_=_') > 0) {
window.location = window.location.href.replace(/#.*/, '');
}
适用于PHP SDK用户
我只是通过在转发之前删除额外的部分来解决这个问题。
$loginURL = $helper->getLoginUrl($redirectURL, $fbPermissions);
$loginURL = str_replace("#_=_", "", $loginURL);
header("Location: " . $loginURL);
使用angular和angular ui router,你可以修复这个问题
app.config(function ($stateProvider, $urlRouterProvider, $locationProvider) {
// Make a trailing slash optional for all routes
// - Note: You'll need to specify all urls with a trailing slash if you use this method.
$urlRouterProvider.rule(function ($injector, $location) {
/***
Angular misbehaves when the URL contains a "#_=_" hash.
From Facebook:
Change in Session Redirect Behavior
This week, we started adding a fragment #_=_ to the redirect_uri when this field is left blank.
Please ensure that your app can handle this behavior.
Fix:
http://stackoverflow.com/questions/7131909/facebook-callback-appends-to-return-url#answer-7297873
***/
if ($location.hash() === '_=_'){
$location.hash(null);
}
var path = $location.url();
// check to see if the path already has a slash where it should be
if (path[path.length - 1] === '/' || path.indexOf('/?') > -1) {
return;
}
else if (path.indexOf('?') > -1) {
$location.replace().path(path.replace('?', '/?'));
}
else {
$location.replace().path(path + '/');
}
});
// etc ...
});
});