OAuth 2.0: Can a user-agent (client) avoid forwarding fragments?

Question

In the OAuth 2.0 draft specification, user-agent clients receive authorization in the form of a bearer token via redirection (from an authentication server) to a URL such as

HTTP/1.1 302 Found
Location: http://example.com/rd#access_token=FJQbwq9&expires_in=3600

According to Section 3.5.2 it is then the user-agent's job to GET the URL in question, but "The user-agent SHALL NOT include the fragment component with the request." In other words, as a result of the example redirection above, the user-agent should

 GET /rd HTTP/1.1
 Host: example.com

without passing #access_token to the server.

My question: what user agents behave this way? I thought redirection in Firefox, for example, would (logically) include the fragment in the GET request. Am I just wrong about this, or does the OAuth 2.0 specification rely on non-standard user-agent behavior?

Answer 1

In fact, Firefox and other browsers behave this way by default. Fragments after the # in a URL are used by the browser to determine which part of a page to show; they are not sent to the server as part of a GET request.