Hey - cofounder of Clerk here<p>Glad we were able to mitigate this one for our customers, but have also been a bit surprised this vulnerability hasn't been generating more chatter.<p>tl;dr: if you use Google OAuth, any XSS on your site can likely be chained into a long-lived account takeover. In a roundabout way, it works around the protections afforded by HttpOnly cookies.<p>You can mitigate by always redirecting to a URL with an empty fragment (#) if your oauth callback URL experiences any failure.