EIPs/EIPS/eip-1102.md

---
eip: 1102
title: Opt-in provider access
author: Paul Bouchon <mail@bitpshr.net>
discussions-to: https://ethereum-magicians.org/t/opt-in-web3-access/414
status: Draft
type: Standards Track
category: Interface
created: 2018-05-04
---

## Simple summary

This proposal describes a way for DOM environments to expose an Ethereum provider API that requires user approval.

## Abstract

The previous generation of Ethereum-enabled DOM environments follows a pattern of directly injecting a provider object into the DOM without user consent. This exposes users of such environments to fingerprinting attacks since untrusted websites can check for the injected provider and reliably identify Ethereum-enabled clients.

This proposal outlines a protocol in which dapps request access to an Ethereum provider API.

## Specification

### Typical dapp initialization

```
START dapp
IF web3 is defined
    CONTINUE dapp
IF web3 is undefined
    STOP dapp
```

### Proposed dapp initialization

```
START dapp
REQUEST[1] Ethereum provider
    IF user approves
        NOTIFY[2] dapp
        CONTINUE dapp
    IF user rejects
    IF non-Ethereum environment
        NOOP[3]
```

#### `[1] REQUEST`

Dapps MUST request an Ethereum provider API by sending a message using the [`window.postMessage`](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage) API. This message MUST be sent with a payload object containing a `type` property with a value of `ETHEREUM_PROVIDER_REQUEST`.

#### `[2] NOTIFY`

Ethereum-enabled DOM environments MUST notify dapps of successful provider API exposure by sending a message using the [`window.postMessage`](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage) API. This message MUST be sent with a payload object containing a `type` property with a value of `ETHEREUM_PROVIDER_SUCCESS` and an `ethereum` property containing an Ethereum provider object that conforms to [ethereum/interfaces#16](https://github.com/ethereum/interfaces/issues/16).

#### `[3] NOOP`

If a user rejects access to the Ethereum provider API on an untrusted site, the site itself MUST NOT be notified in any way; notification of a rejection would allow third-party tools to still identify that a client is Ethereum-enabled despite not being granted access to any provider API.

### Example implementation: `postMessage`

The following example demonstrates one possible implementation of this strategy in a browser-based DOM environment. Note that Ethereum-enabled environments on other platforms would most likely use platform-specific native messaging protocols, not `postMessage`.

```js
// Listen for provider API
window.addEventListener('message', function (event) {
    if (!event.data || !event.data.type) { return; }
    if (event.data.type === 'ETHEREUM_PROVIDER_SUCCESS') {
        // Provider API exposed, continue
        const networkVersion = await event.data.ethereum.send('net_version', []);
        console.log(networkVersion);
    }
});
// Request Provider API
window.postMessage({ type: 'ETHEREUM_PROVIDER_REQUEST' });
```

## Rationale

The pattern of provider auto-injection followed by the previous generation of Ethereum-enabled DOM environements failed to protect user privacy by allowing untrusted websites to uniquely identify Ethereum users. This proposal establishes a new pattern wherein dapps must request access to an Ethereum provider API. This protocol directly prevents fingerprinting attacks by giving users the ability to reject provider exposure on a given website.

### Constraints

* A provider API MUST NOT be exposed to websites by default.
* Dapps MUST request a provider API if it does not exist.
* Users MUST be able to approve or reject provider API access.
* A provider API MUST be exposed to websites after user consent.
* Environments MAY continue auto-exposing a provider API if users can opt-out.

### Immediate value-add

* Users can reject provider API access on untrusted sites to prevent fingerprinting.

### Long-term value-add

* Dapps could request specific account information based on user consent.
* Dapps could request specific user information based on user consent (uPort, DIDs).
* Dapps could request a specific network based on user consent.
* Dapps could request multiple instances of the above based on user consent.

## Backwards compatibility

This proposal impacts dapp authors and requires that they request access to an Ethereum provider API before using it. This proposal also impacts developers of Ethereum-enabled environments or dapp browsers as these tools should no longer auto-expose any provider API; instead, they should only do so if a website requests a provider API and if the user consents to its access. Environments may continue to auto-expose an Ethereum provider API as long as users have the ability to disable this behavior.

## Implementation

The MetaMask team is currently working an [MVP implementation](https://github.com/MetaMask/metamask-extension/pull/4703) of the strategy described above and expects to begin limited user testing soon.

## Copyright

Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/).
EIP: Opt-in web3 access (#1102) * Initial draft * Strengthen constraint language and add noop logic path * Add identifier property to web3 request payload * Update example to remove error case * Add identifier to web3 response payload for filtering * Concretely detail DOM-specific APIs * Update and rename eip-web3-access.md to eip-1102.md * Remove unnecessary constraint link 2018-06-01 10:42:51 +00:00			`---`
			`eip: 1102`
Automatically merged updates to draft EIP(s) 1102 Hi, I'm a bot! This change was automatically merged because: - It only modifies existing Draft or Last Call EIP(s) - The PR was approved or written by at least one author of each modified EIP - The build is passing 2018-07-03 13:56:21 +00:00			`title: Opt-in provider access`
EIP: Opt-in web3 access (#1102) * Initial draft * Strengthen constraint language and add noop logic path * Add identifier property to web3 request payload * Update example to remove error case * Add identifier to web3 response payload for filtering * Concretely detail DOM-specific APIs * Update and rename eip-web3-access.md to eip-1102.md * Remove unnecessary constraint link 2018-06-01 10:42:51 +00:00			`author: Paul Bouchon <mail@bitpshr.net>`
			`discussions-to: https://ethereum-magicians.org/t/opt-in-web3-access/414`
			`status: Draft`
			`type: Standards Track`
			`category: Interface`
			`created: 2018-05-04`
			`---`

			`## Simple summary`

Automatically merged updates to draft EIP(s) 1102 Hi, I'm a bot! This change was automatically merged because: - It only modifies existing Draft or Last Call EIP(s) - The PR was approved or written by at least one author of each modified EIP - The build is passing 2018-07-03 13:56:21 +00:00			`This proposal describes a way for DOM environments to expose an Ethereum provider API that requires user approval.`
EIP: Opt-in web3 access (#1102) * Initial draft * Strengthen constraint language and add noop logic path * Add identifier property to web3 request payload * Update example to remove error case * Add identifier to web3 response payload for filtering * Concretely detail DOM-specific APIs * Update and rename eip-web3-access.md to eip-1102.md * Remove unnecessary constraint link 2018-06-01 10:42:51 +00:00
			`## Abstract`

Automatically merged updates to draft EIP(s) 1102 Hi, I'm a bot! This change was automatically merged because: - It only modifies existing Draft or Last Call EIP(s) - The PR was approved or written by at least one author of each modified EIP - The build is passing 2018-07-03 13:56:21 +00:00			`The previous generation of Ethereum-enabled DOM environments follows a pattern of directly injecting a provider object into the DOM without user consent. This exposes users of such environments to fingerprinting attacks since untrusted websites can check for the injected provider and reliably identify Ethereum-enabled clients.`
EIP: Opt-in web3 access (#1102) * Initial draft * Strengthen constraint language and add noop logic path * Add identifier property to web3 request payload * Update example to remove error case * Add identifier to web3 response payload for filtering * Concretely detail DOM-specific APIs * Update and rename eip-web3-access.md to eip-1102.md * Remove unnecessary constraint link 2018-06-01 10:42:51 +00:00
Automatically merged updates to draft EIP(s) 1102 Hi, I'm a bot! This change was automatically merged because: - It only modifies existing Draft or Last Call EIP(s) - The PR was approved or written by at least one author of each modified EIP - The build is passing 2018-07-03 13:56:21 +00:00			`This proposal outlines a protocol in which dapps request access to an Ethereum provider API.`
EIP: Opt-in web3 access (#1102) * Initial draft * Strengthen constraint language and add noop logic path * Add identifier property to web3 request payload * Update example to remove error case * Add identifier to web3 response payload for filtering * Concretely detail DOM-specific APIs * Update and rename eip-web3-access.md to eip-1102.md * Remove unnecessary constraint link 2018-06-01 10:42:51 +00:00
			`## Specification`

			`### Typical dapp initialization`

			```
			`START dapp`
			`IF web3 is defined`
			`CONTINUE dapp`
			`IF web3 is undefined`
			`STOP dapp`
			```

			`### Proposed dapp initialization`

			```
			`START dapp`
Automatically merged updates to draft EIP(s) 1102 Hi, I'm a bot! This change was automatically merged because: - It only modifies existing Draft or Last Call EIP(s) - The PR was approved or written by at least one author of each modified EIP - The build is passing 2018-07-03 13:56:21 +00:00			`REQUEST[1] Ethereum provider`
EIP: Opt-in web3 access (#1102) * Initial draft * Strengthen constraint language and add noop logic path * Add identifier property to web3 request payload * Update example to remove error case * Add identifier to web3 response payload for filtering * Concretely detail DOM-specific APIs * Update and rename eip-web3-access.md to eip-1102.md * Remove unnecessary constraint link 2018-06-01 10:42:51 +00:00			`IF user approves`
Automatically merged updates to draft EIP(s) 1102 Hi, I'm a bot! This change was automatically merged because: - It only modifies existing Draft or Last Call EIP(s) - The PR was approved or written by at least one author of each modified EIP - The build is passing 2018-07-03 13:56:21 +00:00			`NOTIFY[2] dapp`
EIP: Opt-in web3 access (#1102) * Initial draft * Strengthen constraint language and add noop logic path * Add identifier property to web3 request payload * Update example to remove error case * Add identifier to web3 response payload for filtering * Concretely detail DOM-specific APIs * Update and rename eip-web3-access.md to eip-1102.md * Remove unnecessary constraint link 2018-06-01 10:42:51 +00:00			`CONTINUE dapp`
			`IF user rejects`
Automatically merged updates to draft EIP(s) 1102 Hi, I'm a bot! This change was automatically merged because: - It only modifies existing Draft or Last Call EIP(s) - The PR was approved or written by at least one author of each modified EIP - The build is passing 2018-07-03 13:56:21 +00:00			`IF non-Ethereum environment`
			`NOOP[3]`
EIP: Opt-in web3 access (#1102) * Initial draft * Strengthen constraint language and add noop logic path * Add identifier property to web3 request payload * Update example to remove error case * Add identifier to web3 response payload for filtering * Concretely detail DOM-specific APIs * Update and rename eip-web3-access.md to eip-1102.md * Remove unnecessary constraint link 2018-06-01 10:42:51 +00:00			```

			#### `[1] REQUEST`

Automatically merged updates to draft EIP(s) 1102 Hi, I'm a bot! This change was automatically merged because: - It only modifies existing Draft or Last Call EIP(s) - The PR was approved or written by at least one author of each modified EIP - The build is passing 2018-07-03 13:56:21 +00:00			Dapps MUST request an Ethereum provider API by sending a message using the [`window.postMessage`](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage) API. This message MUST be sent with a payload object containing a `type` property with a value of `ETHEREUM_PROVIDER_REQUEST`.
EIP: Opt-in web3 access (#1102) * Initial draft * Strengthen constraint language and add noop logic path * Add identifier property to web3 request payload * Update example to remove error case * Add identifier to web3 response payload for filtering * Concretely detail DOM-specific APIs * Update and rename eip-web3-access.md to eip-1102.md * Remove unnecessary constraint link 2018-06-01 10:42:51 +00:00
Automatically merged updates to draft EIP(s) 1102 Hi, I'm a bot! This change was automatically merged because: - It only modifies existing Draft or Last Call EIP(s) - The PR was approved or written by at least one author of each modified EIP - The build is passing 2018-07-03 13:56:21 +00:00			#### `[2] NOTIFY`
EIP: Opt-in web3 access (#1102) * Initial draft * Strengthen constraint language and add noop logic path * Add identifier property to web3 request payload * Update example to remove error case * Add identifier to web3 response payload for filtering * Concretely detail DOM-specific APIs * Update and rename eip-web3-access.md to eip-1102.md * Remove unnecessary constraint link 2018-06-01 10:42:51 +00:00
Automatically merged updates to draft EIP(s) 1102 Hi, I'm a bot! This change was automatically merged because: - It only modifies existing Draft or Last Call EIP(s) - The PR was approved or written by at least one author of each modified EIP - The build is passing 2018-07-03 13:56:21 +00:00			Ethereum-enabled DOM environments MUST notify dapps of successful provider API exposure by sending a message using the [`window.postMessage`](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage) API. This message MUST be sent with a payload object containing a `type` property with a value of `ETHEREUM_PROVIDER_SUCCESS` and an `ethereum` property containing an Ethereum provider object that conforms to [ethereum/interfaces#16](https://github.com/ethereum/interfaces/issues/16).
EIP: Opt-in web3 access (#1102) * Initial draft * Strengthen constraint language and add noop logic path * Add identifier property to web3 request payload * Update example to remove error case * Add identifier to web3 response payload for filtering * Concretely detail DOM-specific APIs * Update and rename eip-web3-access.md to eip-1102.md * Remove unnecessary constraint link 2018-06-01 10:42:51 +00:00
Automatically merged updates to draft EIP(s) 1102 Hi, I'm a bot! This change was automatically merged because: - It only modifies existing Draft or Last Call EIP(s) - The PR was approved or written by at least one author of each modified EIP - The build is passing 2018-07-03 13:56:21 +00:00			#### `[3] NOOP`
EIP: Opt-in web3 access (#1102) * Initial draft * Strengthen constraint language and add noop logic path * Add identifier property to web3 request payload * Update example to remove error case * Add identifier to web3 response payload for filtering * Concretely detail DOM-specific APIs * Update and rename eip-web3-access.md to eip-1102.md * Remove unnecessary constraint link 2018-06-01 10:42:51 +00:00
Automatically merged updates to draft EIP(s) 1102 Hi, I'm a bot! This change was automatically merged because: - It only modifies existing Draft or Last Call EIP(s) - The PR was approved or written by at least one author of each modified EIP - The build is passing 2018-07-03 13:56:21 +00:00			`If a user rejects access to the Ethereum provider API on an untrusted site, the site itself MUST NOT be notified in any way; notification of a rejection would allow third-party tools to still identify that a client is Ethereum-enabled despite not being granted access to any provider API.`
EIP: Opt-in web3 access (#1102) * Initial draft * Strengthen constraint language and add noop logic path * Add identifier property to web3 request payload * Update example to remove error case * Add identifier to web3 response payload for filtering * Concretely detail DOM-specific APIs * Update and rename eip-web3-access.md to eip-1102.md * Remove unnecessary constraint link 2018-06-01 10:42:51 +00:00
			### Example implementation: `postMessage`

Automatically merged updates to draft EIP(s) 1102 Hi, I'm a bot! This change was automatically merged because: - It only modifies existing Draft or Last Call EIP(s) - The PR was approved or written by at least one author of each modified EIP - The build is passing 2018-07-03 13:56:21 +00:00			The following example demonstrates one possible implementation of this strategy in a browser-based DOM environment. Note that Ethereum-enabled environments on other platforms would most likely use platform-specific native messaging protocols, not `postMessage`.
EIP: Opt-in web3 access (#1102) * Initial draft * Strengthen constraint language and add noop logic path * Add identifier property to web3 request payload * Update example to remove error case * Add identifier to web3 response payload for filtering * Concretely detail DOM-specific APIs * Update and rename eip-web3-access.md to eip-1102.md * Remove unnecessary constraint link 2018-06-01 10:42:51 +00:00
			```js
Automatically merged updates to draft EIP(s) 1102 Hi, I'm a bot! This change was automatically merged because: - It only modifies existing Draft or Last Call EIP(s) - The PR was approved or written by at least one author of each modified EIP - The build is passing 2018-07-03 13:56:21 +00:00			`// Listen for provider API`
			`window.addEventListener('message', function (event) {`
			`if (!event.data \|\| !event.data.type) { return; }`
			`if (event.data.type === 'ETHEREUM_PROVIDER_SUCCESS') {`
			`// Provider API exposed, continue`
			`const networkVersion = await event.data.ethereum.send('net_version', []);`
			`console.log(networkVersion);`
			`}`
			`});`
			`// Request Provider API`
			`window.postMessage({ type: 'ETHEREUM_PROVIDER_REQUEST' });`
EIP: Opt-in web3 access (#1102) * Initial draft * Strengthen constraint language and add noop logic path * Add identifier property to web3 request payload * Update example to remove error case * Add identifier to web3 response payload for filtering * Concretely detail DOM-specific APIs * Update and rename eip-web3-access.md to eip-1102.md * Remove unnecessary constraint link 2018-06-01 10:42:51 +00:00			```

			`## Rationale`

Automatically merged updates to draft EIP(s) 1102 Hi, I'm a bot! This change was automatically merged because: - It only modifies existing Draft or Last Call EIP(s) - The PR was approved or written by at least one author of each modified EIP - The build is passing 2018-07-03 13:56:21 +00:00			`The pattern of provider auto-injection followed by the previous generation of Ethereum-enabled DOM environements failed to protect user privacy by allowing untrusted websites to uniquely identify Ethereum users. This proposal establishes a new pattern wherein dapps must request access to an Ethereum provider API. This protocol directly prevents fingerprinting attacks by giving users the ability to reject provider exposure on a given website.`
EIP: Opt-in web3 access (#1102) * Initial draft * Strengthen constraint language and add noop logic path * Add identifier property to web3 request payload * Update example to remove error case * Add identifier to web3 response payload for filtering * Concretely detail DOM-specific APIs * Update and rename eip-web3-access.md to eip-1102.md * Remove unnecessary constraint link 2018-06-01 10:42:51 +00:00
			`### Constraints`

Automatically merged updates to draft EIP(s) 1102 Hi, I'm a bot! This change was automatically merged because: - It only modifies existing Draft or Last Call EIP(s) - The PR was approved or written by at least one author of each modified EIP - The build is passing 2018-07-03 13:56:21 +00:00			`* A provider API MUST NOT be exposed to websites by default.`
			`* Dapps MUST request a provider API if it does not exist.`
			`* Users MUST be able to approve or reject provider API access.`
			`* A provider API MUST be exposed to websites after user consent.`
			`* Environments MAY continue auto-exposing a provider API if users can opt-out.`
EIP: Opt-in web3 access (#1102) * Initial draft * Strengthen constraint language and add noop logic path * Add identifier property to web3 request payload * Update example to remove error case * Add identifier to web3 response payload for filtering * Concretely detail DOM-specific APIs * Update and rename eip-web3-access.md to eip-1102.md * Remove unnecessary constraint link 2018-06-01 10:42:51 +00:00
			`### Immediate value-add`

Automatically merged updates to draft EIP(s) 1102 Hi, I'm a bot! This change was automatically merged because: - It only modifies existing Draft or Last Call EIP(s) - The PR was approved or written by at least one author of each modified EIP - The build is passing 2018-07-03 13:56:21 +00:00			`* Users can reject provider API access on untrusted sites to prevent fingerprinting.`
EIP: Opt-in web3 access (#1102) * Initial draft * Strengthen constraint language and add noop logic path * Add identifier property to web3 request payload * Update example to remove error case * Add identifier to web3 response payload for filtering * Concretely detail DOM-specific APIs * Update and rename eip-web3-access.md to eip-1102.md * Remove unnecessary constraint link 2018-06-01 10:42:51 +00:00
			`### Long-term value-add`

			`* Dapps could request specific account information based on user consent.`
			`* Dapps could request specific user information based on user consent (uPort, DIDs).`
			`* Dapps could request a specific network based on user consent.`
			`* Dapps could request multiple instances of the above based on user consent.`

			`## Backwards compatibility`

Automatically merged updates to draft EIP(s) 1102 Hi, I'm a bot! This change was automatically merged because: - It only modifies existing Draft or Last Call EIP(s) - The PR was approved or written by at least one author of each modified EIP - The build is passing 2018-07-03 13:56:21 +00:00			This proposal impacts dapp authors and requires that they request access to an Ethereum provider API before using it. This proposal also impacts developers of Ethereum-enabled environments or dapp browsers as these tools should no longer auto-expose any provider API; instead, they should only do so if a website requests a provider API and if the user consents to its access. Environments may continue to auto-expose an Ethereum provider API as long as users have the ability to disable this behavior.
EIP: Opt-in web3 access (#1102) * Initial draft * Strengthen constraint language and add noop logic path * Add identifier property to web3 request payload * Update example to remove error case * Add identifier to web3 response payload for filtering * Concretely detail DOM-specific APIs * Update and rename eip-web3-access.md to eip-1102.md * Remove unnecessary constraint link 2018-06-01 10:42:51 +00:00
			`## Implementation`

Automatically merged updates to draft EIP(s) 1102 Hi, I'm a bot! This change was automatically merged because: - It only modifies existing Draft or Last Call EIP(s) - The PR was approved or written by at least one author of each modified EIP - The build is passing 2018-07-03 13:56:21 +00:00			`The MetaMask team is currently working an [MVP implementation](https://github.com/MetaMask/metamask-extension/pull/4703) of the strategy described above and expects to begin limited user testing soon.`
EIP: Opt-in web3 access (#1102) * Initial draft * Strengthen constraint language and add noop logic path * Add identifier property to web3 request payload * Update example to remove error case * Add identifier to web3 response payload for filtering * Concretely detail DOM-specific APIs * Update and rename eip-web3-access.md to eip-1102.md * Remove unnecessary constraint link 2018-06-01 10:42:51 +00:00
			`## Copyright`

			`Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/).`