Y
Hacker News
new
|
ask
|
show
|
jobs
by
sli
982 days ago
If the key is just in the URL, what's stopping them from simply obtaining the key out of their access logs and decrypting whatever they want?
1 comments
leesalminen
982 days ago
Presumably they’re placing it in the # part of the url, which isn’t passed to servers by browsers. Now, of course, the client could still exfiltrate the key with client side JS, but that would be noticeable to anyone that wanted to check.
link