After a lot of discussion on the mailing list over the last few months, and after some excellent discussions at the OAuth Security Workshop, we've been working on revising the draft to provide clearer guidance and clearer discussion of the threats and consequences of the various architectural patterns in the draft.
I would like to give a huge thanks to Philippe De Ryck for stepping up to work on this draft as a co-author!
This version is a huge restructuring of the draft and now starts with a concrete description of possible threats of malicious JavaScript as well as the consequences of each. The architectural patterns have been updated to reference which of each threat is mitigated by the pattern. This restructuring should help readers make a better informed decision by being able to evaluate the risks and benefits of each solution.
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps
https://www.ietf.org/archive/id/draft-ietf-oauth-browser-based-apps-15.html
Please give this a read, I am confident that this is a major improvement to the draft!
