<p></p>
<blockquote>
<p>[Access token in URL query string]</p>
</blockquote>
<p>According to <a href="https://tools.ietf.org/html/rfc6750#section-5.3" rel="nofollow">https://tools.ietf.org/html/rfc6750#section-5.3</a>, this approach isn't recommended:</p>
<blockquote>
<p>Don't pass bearer tokens in page URLs: Bearer tokens SHOULD NOT be<br>
passed in page URLs (for example, as query string parameters).<br>
Instead, bearer tokens SHOULD be passed in HTTP message headers or<br>
message bodies for which confidentiality measures are taken.<br>
Browsers, web servers, and other software may not adequately<br>
secure URLs in the browser history, web server logs, and other<br>
data structures. If bearer tokens are passed in page URLs,<br>
attackers might be able to steal them from the history data, logs,<br>
or other unsecured locations.</p>
</blockquote>
<p>Adding this logic would be easily doable for sure. It feels a bit like encouraging bad practices, though.</p>
<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br />You are receiving this because you are subscribed to this thread.<br />Reply to this email directly, <a href="https://github.com/openstreetmap/openstreetmap-website/pull/3177#issuecomment-820366578">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/AAK2OLJIQQ6WZSQ4PWDK4JTTI3IEDANCNFSM4234LSSQ">unsubscribe</a>.<img src="https://github.com/notifications/beacon/AAK2OLOWIHUA4I5XVW6IVSTTI3IEDA5CNFSM4234LSS2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOGDS4Z4Q.gif" height="1" width="1" alt="" /></p>
<script type="application/ld+json">[
{
"@context": "http://schema.org",
"@type": "EmailMessage",
"potentialAction": {
"@type": "ViewAction",
"target": "https://github.com/openstreetmap/openstreetmap-website/pull/3177#issuecomment-820366578",
"url": "https://github.com/openstreetmap/openstreetmap-website/pull/3177#issuecomment-820366578",
"name": "View Pull Request"
},
"description": "View this Pull Request on GitHub",
"publisher": {
"@type": "Organization",
"name": "GitHub",
"url": "https://github.com"
}
}
]</script>