|
|
|
|
|
|
by j-f1
2281 days ago
|
|
|
Isn’t this true of any client side site? If the client side JS has access to some information, it’s always possible for the server to inject custom JS that returns the data. Theoretically this setup provides little additional security but it does allow (for example) people to use a client pinned to a version they’ve verified to not leak information and collaborate without worrying about leakage. (Excalidraw developer here) |
|
|
I agree with your comment. I just don’t want anyone to think that a key stored in the location hash is somehow truly protected from ever getting back to the server, which was how the comment to which I responded sounded to me.