[Xamayon]

That's essentially how mega.io works. The browser encrypts before upload, and the key is added to the download URL. When downloading, the browser uses the key in the URL for local decryption.

The intention is for them to have no access to or knowledge of file contents. Since the key is the URL, and URLs are generally sent to the server by the browser, Mega could (presumably) get the keys when someone follows the download link.

I believe removing the key from the URL still works, the site just prompts for it when needed, but that could also make its way to Mega if they ever decided they wanted it. It seems like a decent approach for ease of use, but has some weaknesses if security is the main goal. Encrypting separately before upload is still a very good idea if it matters for whatever reason.

[ranger_danger]

The key is in the part of the URL after the #, which currently is never sent to servers in any browser, but I suppose that could change.

The more secure method IMO to using the web client (which could have malicious JS pushed to it at any time), would be to use a standalone mega client that you control the source to and can verify yourself.