I launch a new browser window from a parent script with:

window.open(url, "MyAppTitle", "width=300, height=600, menubar=no, scrollbars=no, resizable=no");

The new window loads another script which needs a password to make a connection to a service. To send the password from the parent script to the other script I use:

window.passwdString = "mypassword";

where mypassword is the password that needs to be transferred to the other script.
Then, in the other script, I retrieve the password with:

var userPass = window.opener.passwdString;

Everything works fine in desktop browsers, but in mobile browsers it doesn’t work. To make it work in mobile browsers I can save the password to sessionStorage or localStorage with:

localStorage.setItem("passwdString", "mypassword");

then get the value with:

var userPass = localStorage.getItem("passwdString");

The problem with this approach is that it is less secure. Even if I delete the password (with localStorage.remove("passwdString")) immediately after it is used to make the connection, there are still a few seconds where it is saved to the browser’s storage.

I also tried other suggestions like:

var newWindow = window.open(url, "MyAppTitle", "width=300, height=600, menubar=no, scrollbars=no, resizable=no");

newWindow.passwdString = "mypassword";

Then, in the new window, retrieve it with:

window.passwdString

or

var newWindow = window.open(url, "MyAppTitle", "width=300, height=600, menubar=no, scrollbars=no, resizable=no");

newWindow["passwdString"] = "mypassword";

Then, in the new window, retrieve it with:

window["passwdString"]

but they don’t work in mobile browsers. The only thing that works there is to use sessionStorage or localStorage to store the password and then delete it after it has been used to establish the connection. Yet, this doesn’t seem very secure. I know that passing the data with the first method isn’t very secure either, but in that case it doesn’t get saved to the browser’s storage. Passing the data as a query parameter added to the URL is also not secure. My question is: what would be the best way to pass the sensitive string from the parent script to the new window, so that it works in desktop and mobile browsers ?
Thank you.