I'm trying to add Dropbox support to my client-side-only Javascript app (http://bbc.godbolt.org/). As best I can tell I can't authenticate without my site being hosted on a secure server.
For a variety of reasons it's tricky for me to get an HTTPS server set up, and as I'm not using server endpoints I don't see why Dropbox/OAuth mandates an https:// source URL.
I can't find any reference to this limitation, but I can't configure a non-HTTPS server in the Dropbox configuration for my app; and without specifying my endpoint the client-side authentication fails.
Am I missing something?
Thanks!
HTTPS is required by the OAuth 2 spec for good reason... the access token returned at the end of the authorization process is in plain text and could be stolen if not sent over a secure channel.