OAuth token theft

TL;DR: Redirect_uri quirks, referer leak, postMessage leak, state-less flow, open-redirect chain → attacker captures access / refresh tokens.

Stub — to be filled in.

What it is

TODO

TODO

TODO

TODO