From 90f641059fbd4103fc165411978ce4b4b2b5b206 Mon Sep 17 00:00:00 2001
From: Joe Littlejohn <joelittlejohn@gmail.com>
Date: Sun, 27 Nov 2016 17:14:09 +0000
Subject: [PATCH] On complete, ignore fragments that don't contain useful
 information

Auth providers like Facebook and Google tend to add garbage fragments
onto OAuth 2.0 redirect URIs to stop malicious fragments being
maintained through the flow. This change ensures that those fragments
aren't mistakenly used to attempt to complete login.

If the fragment contains a code, token or error, it is assumed to be the
correct place to find data provided by the auth provider.
---
 src/main/html/o2c.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main/html/o2c.html b/src/main/html/o2c.html
index 30e986ac..0cde1d39 100644
--- a/src/main/html/o2c.html
+++ b/src/main/html/o2c.html
@@ -1,6 +1,6 @@
 <script>
 var qp = null;
-if(window.location.hash && window.location.hash !== "#_=_") {
+if(/code|token|error/.test(window.location.hash)) {
   qp = location.hash.substring(1);
 }
 else {