On Fri, Jan 31, 2014 at 2:58 PM, Andrew Grieve <[email protected]> wrote: > Ha! Well that's pretty clear. :) I don't think having JS generate it is a > good idea then.
It is not. You as an app developer do not control who puts where their JS. > Still, there might be an easier way than going through persistent storage. The reason for localStorage is cause it leverages SOP. If you find another way to leverage SOP, that would be fine too. > Next idea: > How about having the Java side tell the JS side during start-up what the > token is? > E.g.: loadUrl(javascript:void(execToken=FOO)). JS can then get the token > from there when they want to use exec(). Can't do that, cause loadUrl *is* insecure! Next idea please ;)
