Hash is removed if it contains an `=`.

Right now if the hash contains an = it is assumed to "belong" to the remotestorage.js oauth flow and is removed in its entirely. This is very annoying for websites that want to use the hash themselves. Instead the hash should only be removed if there is strong evidence to indicate that we are doing the remotestorage.js oauth flow (for example rsDiscovery or access_token and state are set). Ideally even stronger verification could be done such as embedding a random value that is unlikey to be used by the embedding application.

remotestorage.js/src/authorize.js

Lines 215 to 220 in 61cbbb2

    
           var params = extractParams(), 
        
               location; 
        
           if (params) { 
        
             location = Authorize.getLocation(); 
        
             location.hash = ''; 
        
           }

	var params = extractParams(),
	location;
	if (params) {
	location = Authorize.getLocation();
	location.hash = '';
	}