I can routinely reproduce this on XenForo.com and FF 3.6.15, maybe it is by design? It works correctly in IE8, for me anyway During this test with FF, I'm already authenticated in facebook. As a guest on XenForo, try to view an attachment from the "Style" forum, you'll be sent to the XF log-in page and asked to sign in. I click the "login with facebook" button, and instead of seeing the attachment (because I'm already authenticated with Facebook), I get a "Forbidden" message to that attachment. IE8 correctly shows me the attachment. Could it be my browser misbehaving, or something wrong with the state of my Facebook session? EDIT: I added that in both cases, I'm already authenticated with facebook.