I've reviewed this document as an assigned ART reviewer. I'm not an expert in Oauth. I haven't seen any issue from the perspective of ART or i18n. I found this document comprehensive and detailed and useful for application architects and developers.

I have the following comments.

Substantive:
- On my reading, it seems that the only foundation threat here is the ability for the attacker to inject malicious code. Okay. If this is the case, I think this should be pointed out clearly at the beginning of the document.
- On my reading, I see that this document discusses two topics: security issues and best practices for browser based apps that are using any kind of authentication mechanism and specific ones when using Oauth. I'm wondering if a) we already have any document that already describes the generic issues, in which case, we should refer or update;  b) if we don't have, given that a lot of this document is valuable for issues not specifically related to Oauth, that we could split the document in two: one for non-Oauth issues and then having the second one strictly on Oauth specific issues. That way, the first one can be referenced by non-Oauth work. Having said that, that suggestion may have been discussed already in the working group or may not make sense for reasons I don't know. Please discard if it does not make sense.

Editorial:
- Section 4. expand PKCE on first use and add reference. That expansion is done later in document in section 6.3.2.1, so then remove that expansion there.
- DPoP similarly