Facebook Callback appends to Return URL

Question

Facebook callback has started appending      hash underscore to the Return URL  Does anyone know why  What is the solution

User · Answer

Adding this to my redirect page fixed the problem for me      if  window location href indexOf          gt  0        window location   window location href replace

User · Answer

For PHP SDK users  I fixed the problem simply by removing the extra part before forwarding     loginURL    helper- gt getLoginUrl  redirectURL   fbPermissions     loginURL   str replace              loginURL    header  Location       loginURL

User · Answer

For those who are looking for simple answer if  window location hash      quot      quot        history replaceState            history replaceState null  null  window location href split  quot   quot   0             window location hash    quot  quot

User · Answer

This can become kind of a serious issue if you re using a JS framework with hashbang        URLs  e g  Angular  Indeed  Angular will consider URLs with a non-hashbang fragment as invalid and throw an error    Error  Invalid url  http   example com        missing hash prefix         If you re in such a case  and redirecting to your domain root   instead of doing    window location hash          goes to     which is no better   Simply do    window location hash           goes to      which allows Angular to take care of the rest

User · Answer

I know this reply is late  but if you are using passportjs  you might want to see this    return  req  res  next    gt        console log req originalUrl       next         I have written this middleware and applied it to express server instance  and the original URL I ve got is without the         Looks like it when we apply passporJS  instance as middleware to the server instance  it doesn t take those characters  but are only visible on the address bar of our browsers

User · Answer

You can also specify your own hash on the redirect uri parameter for the Facebook callback  which might be helpful in certain circumstances e g   api account callback home  When you are redirected back  it ll at least be a hash that corresponds to a known route if you are using backbone js or similar  not sure about jquery mobile

User · Answer

This would remove the appended characters to your url   lt script type  text javascript  gt   var idx window location toString   indexOf              if  idx  gt  0          window location   window location toString   substring 0  idx           lt  script gt

User · Answer

A workaround that worked for me  using Backbone js   was to add      to the end of the redirect URL passed to Facebook  Facebook will keep the provided fragment  and not append its own         Upon return  Backbone will remove the      part  For AngularJS  appending      to the return URL should work   Note that the fragment identifier of the original URL is preserved on redirection  via HTTP status codes 300  301  302 and 303  by most browsers  unless the redirect URL also has a fragment identifier  This seems to be recommended behaviour   If you use a handler script that redirects the user elsewhere  you can append     to the redirect URL here to replace the fragment identifier with an empty string

User · Answer

Major annoying  especially for apps that parse the URI and not just read the   GET    Here s the hack I threw together    Enjoy    lt html xmlns fb  http   www facebook com 2008 fbml  gt   lt head gt           lt script type  text javascript  gt             Get rid of the Facebook residue hash in the URI            Must be done in JS cuz hash only exists client-side            IE and Chrome version of the hack         if  String window location hash  substring 0 1                            window location hash                       window location href window location href slice 0  -1                                Firefox version of the hack         if  String location hash  substring 0 1                            location hash                       location href location href substring 0 location href length-3                              lt  script gt   lt  head gt   lt body gt  URI should be clean  lt  body gt   lt  html gt

User · Answer

Facebook uses a frame and inside of it everything functions using AJAX communication  The biggest problem in this case is preserving the current page state   As far I understand  Facebook decided to use simulated anchors   This means if you clicked somewhere  they simulate that as an anchor inside of your page  and when the AJAX communication starts  they change the anchor bit of your URL as well   This solution helps you normally when you try to reload the page  not ENTER  press F5   because your browser sends the whole URL with anchors to the Facebook server   Therefore Facebook picks up the latest state  what you see  and you are then able to continue from there   When the callback returns with      it means that the page was in its basic state prior to leaving it   Because this anchor is parsed by the browser  you need not worry about it

User · Answer

This was implemented by Facebook by design for security reasons  Here s the explanation from Eric Osgood  a Facebook Team member      This has been marked as  by design    because it prevents a potential security vulnerability       Some browsers will append the hash fragment from a URL to the end of a   new URL to which they have been redirected  if that new URL does not   itself have a hash fragment        For example if example1 com returns a redirect to example2 com  then a   browser going to example1 com abc will go to example2 com abc  and the   hash fragment content from example1 com would be accessible to a   script on example2 com       Since it is possible to have one auth flow redirect to another  it   would be possible to have sensitive auth data from one app accessible   to another       This is mitigated by appending a new hash fragment to the redirect URL   to prevent this browser behavior       If the aesthetics  or client-side behavior  of the resulting URL are   of concern  it would be possible to use window location hash  or even   a server-side redirect of your own  to remove the offending   characters    Source  https   developers facebook com bugs 318390728250352

User · Answer

Not sure why they re doing this but  you could get around this by reseting the hash at the top of your page   if  window location hash              window location hash

User · Answer

I use this one  to delete     symbol as well    lt script type  text javascript  gt      if  window location hash  amp  amp  window location hash                      window location href   window location href split         0          lt  script gt

User · Answer

With angular and angular ui router  you can fix this       app config function   stateProvider   urlRouterProvider   locationProvider              Make a trailing slash optional for all routes          - Note  You ll need to specify all urls with a trailing slash if you use this method         urlRouterProvider rule function   injector   location                         Angular misbehaves when the URL contains a        hash           From Facebook            Change in Session Redirect Behavior           This week  we started adding a fragment      to the redirect uri when this field is left blank            Please ensure that your app can handle this behavior           Fix            http   stackoverflow com questions 7131909 facebook-callback-appends-to-return-url answer-7297873                      if   location hash                          location hash null                      var path    location url                check to see if the path already has a slash where it should be         if  path path length - 1             path indexOf        gt  -1              return                    else if  path indexOf       gt  -1               location replace   path path replace                                else              location replace   path path                                       etc

User · Answer

A change was introduced recently in how Facebook handles session redirects  See  Change in Session Redirect Behavior  in this week s Operation Developer Love blog post for the announcement

User · Answer

via Facebook s Platform Updates      Change in Session Redirect Behavior      This week  we started adding a fragment            to the redirect uri when   this field is left blank  Please ensure that your app can handle this   behavior    To prevent this  set the redirect uri in your login url request like so   using Facebook php-sdk    facebook- gt getLoginUrl array  redirect uri    gt    SERVER  SCRIPT URI    scope    gt   user about me       UPDATE  The above is exactly as the documentation says to fix this   However  Facebook s documented solution does not work   Please consider leaving a comment on the Facebook Platform Updates blog post and follow this bug to get a better answer   Until then  add the following to your head tag to resolve this issue    lt script type  text javascript  gt      if  window location hash  amp  amp  window location hash                      window location hash              lt  script gt    Or a more detailed alternative  thanks niftylettuce     lt script type  text javascript  gt      if  window location hash  amp  amp  window location hash                      if  window history  amp  amp  history pushState                window history pushState     document title  window location pathname             else                  Prevent scrolling by storing the page s current scroll offset             var scroll                     top  document body scrollTop                  left  document body scrollLeft                            window location hash                      Restore the scroll offset  should be flicker free             document body scrollTop   scroll top              document body scrollLeft   scroll left                   lt  script gt

User · Answer

The easiest and clean solution to remove  quot   35   95   61   95  quot   PHP    Instead of  header  Location  xxx php     to use  echo   location href    xxx php

User · Answer

Using Angular 2  RC5  and hash-based routes  I do this   const appRoutes  Routes              path       redirectTo    facebookLoginSuccess              and  export const routing   RouterModule forRoot appRoutes    useHash  true       As far as I understand  the   character in the route is interpreted as part of optional route parameters definition  see https   angular io docs ts latest guide router html   optional-route-parameters   so not involved in the route matching

User · Answer

I do not see how this problem is related to facebook AJAX  In fact the issue also occurs with JavaScript disabled and purely redirect based logins     An example exchange with facebook     1  GET  lt https   www facebook com dialog oauth client id MY APP ID amp scope email amp redirect uri MY REDIRECT URL gt  RESPONSE 302 Found Location   lt https   www facebook com connect uiserver php       gt    2  GET  lt https   www facebook com connect uiserver php       gt  RESPONSE 302 Found MY REDIRECT URL code FB CODE     3  GET MY REDIRECT URL code FB CODE       Happens only with Firefox for me too

User · Answer

if you want to remove the remaining     from the url    window  on  load   function e     if  window location hash                  window location hash          for older browsers  leaves a   behind     history pushState     document title  window location pathname      nice and clean     e preventDefault       no page reload

User · Answer

TL DR  if  window location hash                  history replaceState            history replaceState null  null  window location href split      0             window location hash           Full version with step by step instructions     Test for the ugliness  if  window location hash                      Check if the browser supports history replaceState      if  history replaceState                Keep the exact URL up to the hash          var cleanHref   window location href split      0               Replace the URL in the address bar without messing with the back button          history replaceState null  null  cleanHref          else               Well  you re on an old browser  we can get rid of the     but not the            window location hash                   Step by step    We ll only get into the code block if the fragment is       Check if the browser supports the HTML5 window replaceState method    Clean the URL by splitting on   and taking only the first part  Tell history to replace the current page state with the clean URL  This modifies the current history entry instead of creating a new one  What this means is the back and forward buttons will work just the way you want   -   If the browser does not support the awesome HTML 5 history methods then just clean up the URL as best you can by setting the hash to empty string  This is a poor fallback because it still leaves a trailing hash  example com    and also it adds a history entry  so the back button will take you back to   -      Learn more about history replaceState   Learn more about window location

User · Answer

If you re using vue-router  you can append to the list of routes       path            redirect           lt -- or other default route

User · Answer

For me  i make JavaScript redirection to another page to get rid of       The ideas below should work      function redirect  url       echo   lt script gt window location href    url     SERVER  QUERY STRING     lt  script gt

[facebook] Facebook Callback appends '#_=_' to Return URL

Examples related to facebook

Examples related to returnurl