Math.random is not cryptographically secure and thus should not be used to generate secrets. The Web Cryptography API used here is supported from IE 11, Firefox 34, Chrome 37 and Safari 11 onwards. That is a bit less than what Roundcube itself supports, but still very reasonable considering that this feature will be used by security conscious people who will most likely not be running massively out-of-date browsers.
alexandregz
commented
4 years ago
Math.random is not cryptographically secure and thus should not be used to generate secrets. The Web Cryptography API used here is supported from IE 11, Firefox 34, Chrome 37 and Safari 11 onwards. That is a bit less than what Roundcube itself supports, but still very reasonable considering that this feature will be used by security conscious people who will most likely not be running massively out-of-date browsers.