How to get rid of the #_=_ in the facebook redirect of django-social-auth?

Question

django-social-auth redirects me to /mypage#_=_ when using the the Facebook backend.

As I am working with jquery mobile on the front end, I can not accept that.

I found: https://developers.facebook.com/blog/post/552/ on the facebook developers site.

Change in Session Redirect Behavior

This week, we started adding a fragment #_=_ to the redirect_uri when this field is left blank. Please ensure that your app can handle this behavior.

So I tried settung SOCIAL_AUTH_LOGIN_REDIRECT_URL in the django-social-auth settings to something 'none blank'. No luck

So, how to I get rid of the hash thing?

Thanks a lot!

Did you try removing that part using HTMLParser or by regex? — Eswar Rajesh Pinapala, Jun 24 '12 at 06:17
NO I did not, because I think that would be just a "hack" but anyway.. seems like I have to do it this way :( — wzr1337, Jun 25 '12 at 20:33
When Facebook said - "Please ensure that your app can handle this behavior." I think they mean that there is no flag to configure this on the FB end. :) — Eswar Rajesh Pinapala, Jun 25 '12 at 20:43
`redirect_uri` is added to the link, here is an example of the URL https://www.facebook.com/dialog/oauth?scope=email&redirect_uri=http%3A%2F%2Fmyapp.com%3A8000%2Fcomplete%2Ffacebook%2F&client_id=XXX tested locally, but it still shows the "#_=_" when redirected back. — omab, Jun 27 '12 at 19:06
ok.. facebook seems not to follow their docs at this point... — wzr1337, Jun 27 '12 at 19:16

score 16 · Accepted Answer · answered Jun 24 '12 at 06:16

16

Well, this may not be the exact solution, but adding following script to you head would help in fixing the problem:

<script type="text/javascript">
   if (window.location.hash == '#_=_') {
      window.location.hash = '';
   }
</script>

answered Jun 24 '12 at 06:16

Sudhir Bastakoti

94,682
14
145
149

score 7 · Answer 2 · answered Jan 20 '14 at 00:26

Looks like Facebook always appends the '#_=_' even if the redirect_uri is supplied. Since this behaviour is contrary to Facebook's blog post this functionality has been submitted to Facebook as a bug. Facebook has provided an official response to this bug claiming that appending the '#_=_' is a design feature that prevents a potential security flaw.

Facebook provides the following advice for dealing with the unwanted uri fragment, "If the aesthetics, or client-side behavior, of the resulting URL are of concern, it would be possible to use window.location.hash (or even a server-side redirect of your own) to remove the offending characters."

It appears that the javascript provided above is a valid solution, even if it is a bit hacky.

score 0 · Answer 3 · answered Jan 12 '17 at 14:05

0

<script type="text/javascript">
    if (window.location.href.indexOf('#') > -1) {
        window.location.href = '/';
    }
</script>

answered Jan 12 '17 at 14:05

quas

165
2
10

How to get rid of the #_=_ in the facebook redirect of django-social-auth?

3 Answers3