怪异的URL附加&quot#_ = _ = _;
可能的重复:
重定向。
play框架附加# 通过oauth2?
是否有人看到此事发生?
我正在使用Facebook PHP SDK和一些JavaScript构建Facebook Canvas应用程序。
现在,当我将用户通过OAuth身份验证流程时,我注意到浏览器中的URL会自动使用此“#_ = _”,因此我的URL开始看起来像这样
http://apps.facebook.com/xxxxxxxxxxxx/#_=_
:我重定向到App配置文件页面的网址是:
http://www.facebook.com/apps/application.php?id=xxxxxxxxxxxx#_=_
我正在将使用
echo "<script type='text/javascript'>top.location.href='$appcanvasurl';</script>"
Canvas URL和
echo "<script type='text/javascript'>top.location.href='$appprofurl';</script>"
App Profile页面重定向。
那么,为什么此#_ = _得到附加?
更新:
根据 tracker上的此错误,这是通过设计的,并且为red> red> red> redirect_uri提供了值。
并根据该页面上的官方Facebook答复(必须登录到Facebook才能查看帖子):
这已被标记为“设计”,因为它可以防止潜在的安全漏洞。
一些浏览器会将哈希片段从URL附加到已重定向到的新URL的末端(如果该新URL本身没有哈希片段)。
)。例如,如果example1.com将重定向返回到example2.com,则浏览器访问example1.com#abc将转到example2.com#abc,并且example1.com的哈希片段内容将可以访问示例2.com上的脚本。
由于可以将一个auth Flow重定向到另一个验证,因此可以将一个敏感的验证数据从一个应用程序访问到另一个应用程序。
通过将新的哈希片段附加到重定向URL以防止此浏览器行为来减轻这种方法。
如果所产生的URL的美学或客户端行为令人担忧,则可以使用window.location.hash.hash(甚至您自己的服务器端重定向)来删除有问题的字符。
Possible Duplicate:
Play Framework appending #= to redirect after Facebook auth via OAuth2?
Has anyone else seen this happen?
I am building a Facebook canvas app using the Facebook PHP SDK, and some Javascript.
Now when I take the user through the OAuth authentication flow, I have noticed that the URL in the browser automatically gets appended with this "#_=_" , so my URL starts looking like this:
http://apps.facebook.com/xxxxxxxxxxxx/#_=_
and when I redirect to the app profile page the URL is this:
http://www.facebook.com/apps/application.php?id=xxxxxxxxxxxx#_=_
I am redirecting using
echo "<script type='text/javascript'>top.location.href='$appcanvasurl';</script>"
to the canvas URL, and
echo "<script type='text/javascript'>top.location.href='$appprofurl';</script>"
for app profile page.
So why is this #_=_ getting appended?
Update:
According to this bug on the tracker, this is by design, and giving a value for the redirect_uri does not change this.
And according to the official facebook reply on that page (have to be logged in to Facebook to view the post):
This has been marked as 'by design' because it prevents a potential security vulnerability.
Some browsers will append the hash fragment from a URL to the end of a new URL to which they have been redirected (if that new URL does not itself have a hash fragment).
For example if example1.com returns a redirect to example2.com, then a browser going to example1.com#abc will go to example2.com#abc, and the hash fragment content from example1.com would be accessible to a script on example2.com.
Since it is possible to have one auth flow redirect to another, it would be possible to have sensitive auth data from one app accessible to another.
This is mitigated by appending a new hash fragment to the redirect URL to prevent this browser behavior.
If the aesthetics, or client-side behavior, of the resulting URL are of concern, it would be possible to use window.location.hash (or even a server-side redirect of your own) to remove the offending characters.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
看到这个:
https://developers.facebook.com/blog/post/post/552/
See This:
https://developers.facebook.com/blog/post/552/