It's such a lazy, bad proposal that even if one wanted what it promises to deliver, you'd be hard pressed to choose a better way of getting it used for malicious purposes. Handing the token back to the web script means successful cross site scripting attacks can farm, exfiltrate and repurpose the tokens, as well as bypass attempts to limit which domains are allowed to receive their contents.