Better Spec Compliance #55
Description
http://tools.ietf.org/html/rfc6749#section-3.1.2.5:
The client SHOULD NOT include any third-party scripts (e.g., third-party analytics, social plug-ins, ad networks) in the redirection endpoint response.
Yet the demo's redirect page includes a call to Google Analytics. I know that RFCs' SHOULD NOT is not as severe as MUST NOT, but after all people may be using the demo as a template app and end up exposing tokens via the GA info chain.