Secure handling of OAuth Consumer Key and Secret in Chrome Extensions and Gmail Gadgets

Question

I would like to get some ideas on to properly handle Salesforce OAuth Consumer Key and Secret in Chrome Extensions and Gmail Gadgets. Chrome extensions are essentially Javascript wrapped up in a zip compatible format. If I need to build an extension that calls Salesforce APIs on behalf of the user, I have to embed the Salesforce generated App OAuth Consumer Key and Secret in Javascript for the extension. This creates the possibility of disclosure of the OAuth Consumer Key and Secret, and possible misuse.

I am curious as to how other developers are handling these OAuth Consumer Key and Secrets in Chrome Extensions.

Google provides anonymous Consumer Keys and Secrets for Chrome Extensions that need to access Google APIs. However Salesforce doesn't provide similar OAuth setup. Is this on the roadmap for the Salesforce OAuth 2.0 implementation?

Answer 1

Here are a couple of options.

1) Run a proxy through your own server that protects the secrets and limits the allowed methods through your own API. This will also allow you to update the API keys in moments instead of the potential days to update an extension.

2) Obfuscate the secrets in the extension/gadget code. You can make it difficult to find but with Chrome it will be easy to pick out the keys in the dev tools network tab.

3) Say screw it, leave them in the code, and make sure no actual damage can be done using the secrets.

As for Salesforce's roadmap you will likely have to ask them and they probably won't comment.