[jwally]

OH FFS!!!!

Serves me right having ChatGPT add commentary and me not double checking.

This is what it should be:

          const keyPair = await crypto.subtle.generateKey(
            { name: "ECDSA", namedCurve: "P-256" },
            false, // this makes it not extractable
            ["sign", "verify"]
          );

Run that in HTTPS (here if you want) and try to extract the private key - I don't think you can, but could be wrong.

[xori]

Yeah that does it for new keys generated, any old keys in IDB obviously still are exposed.