I'm writing an odd kind of webapp that is designed to communicate with other sites loaded into the browser. This is fairly trivial to do via MessageChannels. Now, these applications must access protected resources and must get authorization from the user. Using something that would allow these other applications to communicate with a server (such as OAuth) is not an option since there is no server: Support for P2P and E2EE connections is required. One idea I had for limiting access was to use Symbols: For example, if a message is sent that references a resource, it may contain the Symbol for that resource. Then, if the other application wants that resource, it can retrieve it by using that Symbol.
The problem is that I'm not sure this is secure. Is there any way to deliberately create a Symbol that is not unique? If so, this could potentially be used as an attack vector in my webapp: A malicious "client" application could just keep guessing Symbols until it finds one that corresponds to something useful.
Also, if there's a better way of doing this or you see any other issues with it, feel free to let me know ;)
EDIT: To clarify: Application A creates a Symbol to give to Application B. With this Symbol, Application B can access certain resources (files, objects, etc.) which are sent back to it. Is there any way for Application C to get access to a Symbol that is equivalent to the one given to Application B without actually being given the Symbol from either Application A or B?
EDIT: Confirmed that Symbols can, in no way, be transferred across MessageChannels. So there's little point to the question...
