re: 9.8.7 <https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps-02#section-9.8.7>. Historic Note
Historically, the Implicit flow provided an advantage to single-page apps since JavaScript could always arbitrarily read and manipulate the fragment portion of the URL without triggering a page reload. Now with the Session History API (described in "Session history and navigation" of [HTML <https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps-02#ref-HTML>]), browsers have a mechanism to modify the path component of the URL without triggering a page reload, so this overloaded use of the fragment portion is no longer needed. Does this historical note mean to indicate that if the implicit flow were designed today, it could use path instead of fragment to carry the token? Doesn't this overlook the important aspect that fragments are not sent to the server?
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
