Who needs to link to the current user's profile page without knowing it? Only FB should have to do that and they know the profile page url. Other people should be linking to the profile page directly only if they know it, not based on which user is viewing. They should really have two profile URLs:
To fix this FB could stop doing this redirect entirely as it leaks information about the current user's session, and should not be necessary. I'm sure it'll break someone's links, somewhere, but it was a bad idea to begin with, and related is this old trick which let's you view a very popular profile:
All that should be required is a public profile url which can be shared (if you wish) or not, and a private profile url, and the url of the private profile should be generic and not redirected, so that it doesn't leak info in this way, and because it's not the same as a public profile anyway.
The problem with that is that different people viewing the same URL (/profile.php) gets a different resource. What happens if someone gives a link to his profile.php over IM or something, expecting it to show his own profile? The URL the user is shown in the address bar should represent the current resource being viewed.
A better solution could be to replace links to profile.php with direct links to the real profile URL, and just kill that profile.php redirection.
see a different resource? For a web app like FB I don't think this avoidable. All data served is dependent on who you are when you are logged in.
For another example of how to handle this better, see twitter:
twitter.com - the user's feed, content differs for each user
twitter.com/username - the user's public url, for sharing, a proper URI which everyone can use
twitter.com/settings/profile - the user's private profile, content differs for each user
I agree they shouldn't need that redirection with no id supplied and I suspect it's just a legacy of the original way of showing profiles (profile.php?id=n), they could just redirect it to root instead (shows the same as profile.php it seems) to avoid leaking state.
The behavior of the browser, after appending an '#' to location.href, is different depending on the value of the current URL.
The state of the browser after making such a change gives you information about what the current URL was before making the change.
The information it gives you is whether or not you only appended '#.* ' to the current URL.
Normally, this information is only available in this context if the current URL follows the code origin policies of the currently executing code. In most browsers, this means you can only look at current URLs if they are in the same domain as the executing code.
The article shows code that exploits this to try to guess your Facebook username.
This is interesting 1) because it allows for brute force attacks to gain potentially sensitive information and 2) this may cause new discoveries that could make this more efficient or that expand what is possible and 3) because this behavior is as designed.
