Facebook Callback appends ‘#_=_’ to Return URL

Facebook callback has started appending #_=_ hash underscore to the Return URL

Does anyone know why? What is the solution?

22 s
22

This was implemented by Facebook by design for security reasons. Here’s the explanation from Eric Osgood, a Facebook Team member:

This has been marked as ‘by design’
because it prevents a potential security vulnerability.

Some browsers will append the hash fragment from a URL to the end of a
new URL to which they have been redirected (if that new URL does not
itself have a hash fragment).

For example if example1.com returns a redirect to example2.com, then a
browser going to example1.com#abc will go to example2.com#abc, and the
hash fragment content from example1.com would be accessible to a
script on example2.com.

Since it is possible to have one auth flow redirect to another, it
would be possible to have sensitive auth data from one app accessible
to another.

This is mitigated by appending a new hash fragment to the redirect URL
to prevent this browser behavior.

If the aesthetics, or client-side behavior, of the resulting URL are
of concern, it would be possible to use window.location.hash (or even
a server-side redirect of your own) to remove the offending
characters.

Source: https://developers.facebook.com/bugs/318390728250352/

Leave a Comment