This avoids content spoofing attacks by crafting a URL with malicious
messages, because the `state` param is only present in the session after
a valid OAuth2 authentication flow.

Changelog: security