XSS vuln. And that’s bad. Because session auth is the only way to authorise apps, and we don’t want any ways for api keyholders to steal the user’s sessino.
Discussion and changes