Section 3.5.1, version 01, says: "These clients cannot keep client secrets confidential and the authentication of the client is based on the user-agent's same-origin policy."
I don't think that the same-origin policy comes into play in this case. Authentication of the client is based only on the end-user validating the redirection URI. Marius _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth