Page MenuHomePhabricator

Do not require oob when "callback is prefix" checkbox is unset
Open, Needs TriagePublic

Description

This seems to be a constant source of confusion. Currently, if it is disabled, you are required to send oob as the callback parameter; there is no reason not to accept a request in which callback is set to the same URL that the application was registered with.