See D8517. I don't immediately have a clean way to defuse this, although our global intercept of the code parameter is likely sufficient to prevent it, as is disabling "Client OAuth Login" in, e.g., the Facebook configuration. The three obvious options are:
- Add an empty anchor if the URL doesn't have one (but this is messy from a user perspective).
- Do the redirect on the client side in Javascript (but this is icky).
- Don't do anything and rely on code / configuration protections (or do something like just document this stuff).