(no title)

Glad we were able to mitigate this one for our customers, but have also been a bit surprised this vulnerability hasn't been generating more chatter.

tl;dr: if you use Google OAuth, any XSS on your site can likely be chained into a long-lived account takeover. In a roundabout way, it works around the protections afforded by HttpOnly cookies.

You can mitigate by always redirecting to a URL with an empty fragment (#) if your oauth callback URL experiences any failure.