Some websites like Facebook and Ask FM use #_=_ at the end of an URL to an external website. Why?
If two large websites are doing so, surely it must mean something?
The problem is after authenticating with Facebook. The base path becomes a hash which eventually breaks the navigation.
I think this is because of facebook passing the url with some hash key. Because with or without passing redirection url facebook passing this to avoid vulnerability of attacks.
From https://developers.facebook.com/blog/post/552/, change in Session Redirect Behavior:
This week, we started adding a fragment #= to the redirect_uri when this field is left blank. Please ensure that your app can handle this behavior.
A solution is simply removing the hash as stated here then everything seems back to normal:
Facebook Callback appends '#_=_' to Return URL
Related
I'm struggling with Keycloak for what seems a simple problem and, after reading a lot of stuff about the subject, nothing solved my problem yet.
The problem is that I call a url with fragment like http://hostname:8080/somewebui/#!builder/site.com:manager:manager/1.0.0/hostname=anotherhostname.
The fragment after the # allow me to pre-fill fields on the site so that the user has just to click on a button to save the data.
The site is protected by Keycloak.
If I'm already logged on the site and I call this URL, it work fine, the site opens and the requested fields are filled, it's perfect.
On the contrary, if I'm not yet logged on the site (most usual case), the login page managed by Keycloak is displayed asking to enter credentials, which is normal.
But after I successfully enter the credentials, Keycloak redirect me to http://hostname:8080/somewebui/, without the fragment.
My question is therefore simple, how can I said to Keycloak to keep the fragments after a login ?
Thank you in advance,
Seb
https://www.rfc-editor.org/rfc/rfc6749#section-3.1.2
The endpoint URI MUST NOT include a fragment component.
So fragment in redirect URI can't be supported if the standard is implemented correctly.
When sharing a link I've noticed that linkedIn appends a '#!' to the end of the URL after redirecting. This is breaking my Backbone.js single-page app since we use pushstate in the URL, and so the '!' is interpreted as a Backbone.js route.
Here is an example link (not my site). It will take you to:
http://blog.mindresearch.net/blog/bid/336633/The-Connection-Between-Math-and-Neuroscience#!
I know I can filter this on the server-side, or deal with it on the client-side in numerous ways, but it just seems strange, and I saw no posts online about this topic, so thought I'd post a question asking what it is, and whether there is a way to get rid of it?
Of course, I'll also email LinkedIn support, but thought this could be useful to anyone else running into the same problem.
AFAIK anything after the hash is not sent to the server; I use a simple client-side script to redirect those URLs. A naive redirect, but it works. I don't see any way of preventing it from occurring, unless LinkedIn and Facebook change their outgoing redirect policy.
<script>
if( window.location.hash == '#!' ) {
window.location.href = 'http://domain.tld/';
}
</script>
Sure it only works for JavaScript enabled clients, but then again in my experience those hashbang URLs only break those clients in the first place.
I am trying to track the url that refered my website. One way is using a custom affiliate url which will do a redirect (302) to my site. I want to track where the users are coming from. However, I realize that after redirection, the HTTP_REFERER fro the header defaults to '/' when I was expecting it to be the url where the user was redirected from. Does the HTTP_REFERER header gets deleted after redirection? If yes, is there a way to store this information.
I am using rails for my website and I am doing request.referer to get the HTTP_REFERER.
Referers are not guaranteed; they are completely optional and any number of things could be stripping them.
I've read all the threads about simiular issues on SO and elsewhere, and none of them have solved my problem.
I'm using Twython as a wrapper around the API. I've tried setting oauth_callback EVERYWHERE. Using the internal mechanism in Tython (which is done by setting callback_url on instantiation), by manually modifying the auth_url and appending the argument by before redirecting the user, etc. I've tried deleting and recreating both new twitter apps and new twitter accounts, to no avail.
Whenever I redirect the client to twitter, the correct oauth_callback is ALWAYS visible in the url along with the oauth_token, but the api always ignores this argument and overrides it with the url in the settings of my twitter app (both are under the same domain). I have tried figuring this out for several hours and I'm at a dead end. I've seen this work before and I've done it plenty of times, so I don't know what could possible be going wrong.
It's strange-- even if i set the callback to 'oob', which ought to trigger the PIN workflow rather than a callback, this argument is EVEN THEN ignored. Any ideas why?
You specify the oauth_callback value when you get a request token as specified in OAuth 1.0a. In 1.0 it you could pass it along with with the user when they go to twitter.com but was changed for security reasons. You can read more about it in the /oauth/request_token docs.
In my application I want to have some dynamic content available to search engine bots which have cookies disabled. But I am stuck because I need to pass redirect URL via flash scope to redirect to different action and controller. When I use chain
instead of redirect then I am able to get flash scope data but I have some use cases in which I cannot use chain and have to use redirect this is also because chain (uri: '/') does not work correctly as this will redirect to index action of current controller and not to the controller that is defined for root '/'. The issue is that flash scope loses everything when cookies are disabled and doing redirect instead of chain. Is this a bug in grails or know limitation in grails?
When cookies are disabled I still see URL being rewritten with ;jessionid=some_value but according to documentation by default
url would not be rewritten with jessionid. When cookies are enabled then url is not rewritten as expected. Is this a bug in grails or expected behavior? How do I disable URL rewriting in grails when cookies disabled?
I also understand that the implication of disabling cookies and URL rewriting is that each request would result in new session object creation.
Not sure if it is the solution you are looking for, but have you tried Marc Palmer's One-Time Data plugin?