Draft 24

• Updated terminology definitions
• Fixed typos
• Updated acknowledgements

Draft 23

• Ensure acronyms and other specifications are defined and referenced on first use, and added to terminology
• Clarified mailicious JavaScript is the basis of the threat analysis earlier in the document
• Clarified why filesystem storage of private key is a concern
• Clarified JS runtimes in intro
• Addressed feedback from secdir review
• Clarified that the specific attacks described are the relevant ones for this document because they are OAuth-specific
• Described the relationship to session fixation attacks
• Clarified that section 8 is talking about OAuth tokens specifically
• Mentioned that localStorage is synchronous
• Applied suggestions about scope of malicious JS code from Martin Thompson's review
• Clarified "attacking the service worker" to be explicit that this is about the authorization code flow
• Clarified the intent of storing the refresh token in a web worker
• Mention explicitly access token and refresh token instead of "set of tokens" on first use per section
• Slightly rephrased Web Worker section to not sound like a recommendation
• Editorial edits to remove the phrase "perfect storage mechanism"
• Fixed references

Addressed all feedback from the genart, opsdir, artart, secdir, and httpdir reviews:

• #65 genart review
• #70 secdir review
• #71 opsdir review
• #72 artart review
• #73 httpdir review

Draft 22: Addressing AD review

• Addressed AD review (#64)
• Moved RFC6819 reference to informal
• Added missing references from prose
• Replaced references to living standards with references to snapshots

Updated references

draft-ietf-oauth-browser-based-apps-21

fixed references from shepherd writeup review

Draft 19

• Updated references

Draft 18

• Addressed last call comments from Justin Richer and Andy Barlow
• Updated description of the benfits of Token-Mediating Backend pattern
• Added SVG diagrams in HTML version
• Added privacy considerations for BFF pattern
• Consistent use of "grant type", "grant" and "flow"

Draft 17

What's Changed

• more silent frame edits by @panva in #33
• 6.1.3.3.3. Use Anti-forgery/double submit cookies by @damienbod in #34
• Moved new section on in-browser flows by @philippederyck in #38
• Addressed comments from Elar Lang by @philippederyck in #37
• Reworded significant burden by @philippederyck in #36
• Reworded text based on PR comments by @philippederyck in #39

New Contributors

• @damienbod made their first contribution in #34

Full Changelog: draft-ietf-oauth-browser-based-apps-16...draft-ietf-oauth-browser-based-apps-17

Draft 16

• Applied editorial changes from Filip Skokan and Louis Jannett
• Clarified when cookie encryption applies
• Added a section with security considerations on the use of postMessage

Draft 15

Huge thanks to @philippederyck for the massive amount of work that went into this update!

• Restructured document to have top-level recommended and discouraged architecture patterns
• Consolidated guidelines for public JS clients in a single section
• Added more focus on best practices at the start of the document
• Added Philippe De Ryck as an author

Draft 13

• Corrected some uses of "DOM"
• Consolidated CSRF recommendations into normative part of the document
• Added links from the summary into the later sections
• Described limitations of Service Worker storage
• Minor editorial improvements