|
|
|
|
|
|
by leesalminen
982 days ago
|
|
|
Presumably they’re placing it in the # part of the url, which isn’t passed to servers by browsers. Now, of course, the client could still exfiltrate the key with client side JS, but that would be noticeable to anyone that wanted to check. |
|
|