pull down to refresh

IIRC fragments don’t go to the server on GET requests, either, so that helps in this scenario. I’m guessing that’s why they chose fragments instead of query params to house the decryption key
Ah right! I didn't actually notice the # in the URL. For anyone wondering how this works let me explain. Here's an example URL.
The first part of the URL after the ? is the query parameter. This part of the URL is sent to the server to identify the encrypted data.
The part after the # is the fragment. Historically this was used to identify part of the page so the browser could scroll to it when the link was clicked. Later, it got hijacked by modern JavaScript frameworks for all sorts of purposes.
Indeed, I admit my mistake, putting the decryption key in the fragment is safer. Although, personally I'd still be more comfortable using a password (e.g. hello).
reply