The pastebin method, though lacking a known author besides "A guest, on December 7, 2016", makes sense to me, and matches the spec as I understand it. Still it irks my paranoia, since we're fundamentally discussing a security issue.

The function in shot.js may be harder to change – that file is used on both the server and client, so window shouldn't be used. OTOH, looking at how that function is used there's no real security concern, and Math.random would be fine for that case. Also I notice while the function in shot.js is distractingly called makeUuid() it actually returns a random string. I think you could just leave that function alone.

The function that does matter in terms of security is in randomString.

For makeUuid.js you could still use the string substitution method (which reads kind of nicely), and just use var r = u[index]; index++

Understood. I'll make those changes. Thanks for the feedback!

OK, I restored shared/shot.js to match the version on master, and modified makeUuid.js to use getRandomValues with the pre-existing 'xxxxx...'.replace approach. How's it look?

Oops, I saw the "WIP" in the title and didn't notice your updates! Reviewing now...