Secure handling of OAuth Consumer Key and Secret in Chrome Extensions and Gmail Gadgets

Question

I would like to get some ideas on to properly handle Salesforce OAuth Consumer Key and Secret in Chrome Extensions and Gmail Gadgets. Chrome extensions are essentially Javas

Answer 1

Here are a couple of options.

1) Run a proxy through your own server that protects the secrets and limits the allowed methods through your own API. This will also allow you to update the API keys in moments instead of the potential days to update an extension.

2) Obfuscate the secrets in the extension/gadget code. You can make it difficult to find but with Chrome it will be easy to pick out the keys in the dev tools network tab.

3) Say screw it, leave them in the code, and make sure no actual damage can be done using the secrets.

As for Salesforce's roadmap you will likely have to ask them and they probably won't comment.