I have a small web app that needs several extra secrets saved (not covered by a normal form login submit). I want to store them using history.pushState(), but before I did, I wanted to get a sense of how secure it is from the professionals here.
MDN says the state is only available to the url that pushed them. So it sounds provisionally good.
Any caveats here, or reasons why this is a bad idea? Are there better alternatives?
Thanks!
