Do you mind expanding?

Specifically, what do you mean by de-golfed (I'm only vaguely aware of what 'kids' mean by code-golf these days, and I'm kinda lost on de-golfing).

What would you like to fit into a QR code? A PortableSecret (e.g. html file)?

Like sibling comment elucidates, code-golfing is just using tricks to get the size of a program down without impacting its functionality. This could be as simple as using single-character variable names or something more complicated like including a decompressor that expands some packed code before execution.

If you got the decryption code plus the payload small enough you could theoretically put the whole thing into a data URL (a URL that doesn't link to a remote resource, but contains all the data needed to display a web page). This data url could theoretically then be encoded into QR and accessed entirely locally on anyone's smart device.

> If you got the decryption code plus the payload small enough you could theoretically put the whole thing into a data URL (a URL that doesn't link to a remote resource, but contains all the data needed to display a web page)

This is how the 'secret creator' page works :-)

This used to be called munging

It’s called minification in the JavaScript ecosystem.

Minification may, or may not, involve munging, for example shortening `const foobar = 1;` into `var f = 1;`. This is not always a safe operation, and in some cases you want to disable munging when minifying your code so that you have meaningful component / function names in your stack traces even without sourcemaps.

Code golfing is the act of finding ever and ever smaller, but functionally equivalent, expressions of a specific piece of code. Usually involves a lot of tricks specific to the language the golfing is done in.

So yes, it would contain the PortableSecret minimized to such an extent that the whole thing fits in a QR-code (which has a practical upperlimit of a few KB?)

Gotcha. Thank you.

IDK about including a full HTML into a QR code (how would you even open it? Wouldn't a reader get confused expecting a URL or plain string?)

But...

You can publish portable secrets on your website (just make sure they aren't advertised/linked/crawled) and then create a QR code of the (secret-by-obscurity) URL.

Use a data URL and use base64 variant of the resource

Not just QR code, may be small enough secrets fit in a URL (2KB I think is the limit)!

See also the now defunct sharelock.io by Auth0: https://news.ycombinator.com/item?id=9109924

For creating and later validating magic-links (using Web APIs), I encode the IV, Salt, Cipher all in the URL as a single base64 token: https://github.com/celzero/otp/blob/cddaaa03f12f765fa8da9178...

(Btw, reading through your code makes me wonder if I should pad the plaintext to match blocksize despite https://archive.is/NX7Y2)?

You are saying padding might be superfluous because of AES-GCM, correct?

(I was using AES-CBC before, that's why the padding is there)

Not the original commenter, but if the whole HTML could be included, it would be nice. It is defenitely possible until certain data limits. However, you would need certain app to use it, since by default QR readers probably can’t benefit from it so that it actually increases the usability. File should be extracted and then opened with browser from correct path.