@cel that is right. They'd need to at least run some javascript to do the decryption. It's not a big deal if a local server sees the keys, but I don't want a pub seeing that.

normally, the encryption means that a pub does never see it! but if the encoding of the secret in a url causes a browser to send it to another pub, then you have just unintentionally leaked a private secret.