Or somehow trigger a DNS lookup with the key as part of the domain, and grab it at the offsite DNS server?
Or maybe something with RTCPeerConnection, wasn't there some drama about how that's leaking IP adresses without showing up in the devtools?
To really do something like this, I think you'd want to pull in a big, complex JS library where the average developer isn't as familiar with the normal usage patterns. Speaking of which, you could probably provide a modified version of some major library that does something sneaky - who ever really checks that the copy of JQuery loaded on a particular page is actually identical to the official one?
It's going to be a lot harder to hide from the dev tools network tab too. You'd have to already be sending back and forth some pile of data that you can hide stuff in somehow.
Maybe something better would be that they provide a JS function that returns a public and private key, and the intention of the site is to send the username and public key to the server and let the user write down or copy out the private key. Then you have to write JS for the page that looks like it just sends the public key, but actually somehow sends the private key in a way that isn't obvious from reading the code or watching the network traffic.
I would probably attempt to do it by only loading data. Use some bits of your locally generated pseudorandom bits to select a set of random bits from an external site to supposedly increase the randomness of the data (yes, that's nonsense, but less obvious then uploading the key directly), but though the sequence of requested URLs leak the locally generated pseudorandom bits and thus the key.
