Redirect to oauth_callback url containing semicolon won't work in some browsers


#1

Hi.

I’ve been coding an application using oauth API v1.1. Everything works fine, except one issue: My callback URL contains a semicolon and some browsers will not redirect as expected.

The redirect is done by twitter via meta refresh:

<meta http-equiv="refresh" content="0;url=http://example.com/foo/bar;foo=bar?oauth_token=foo&oauth_verifier=bar">

Most browsers will do the redirect to the given location as expected.
All Internet Explorer versions will discard the part of the URL after the second semicolon. Some other browsers will encode the semicolon (depending on version and OS). The result is the redirect will never reach the intended location and the authorization will fail.

Doing the redirect by server or putting the URL in single quotes would solve the issue:

<meta http-equiv="refresh" content="0;url='http://example.com/foo/bar;foo=bar?oauth_token=foo&oauth_verifier=bar'">

URL-encoding the semicolon will not fix the problem (the server expects semicolon not %3B - semicolon is a reserved character (see http://tools.ietf.org/html/rfc3986#section-3.3 && http://tools.ietf.org/html/rfc3986#appendix-A)). The URL should be in single quotes, see http://www.w3.org/TR/html5/document-metadata.html#attr-meta-http-equiv-refresh && http://www.w3.org/TR/2012/NOTE-WCAG20-TECHS-20120103/H76 .

Is it possible to do the refresh by server or add the single quotes to the URL in the meta tag?

Thank you.