mirror of https://github.com/status-im/EIPs.git
116 lines
5.3 KiB
Markdown
116 lines
5.3 KiB
Markdown
---
|
|
eip: 1102
|
|
title: Opt-in provider access
|
|
author: Paul Bouchon <mail@bitpshr.net>
|
|
discussions-to: https://ethereum-magicians.org/t/eip-1102-opt-in-provider-access/414
|
|
status: Draft
|
|
type: Standards Track
|
|
category: Interface
|
|
created: 2018-05-04
|
|
---
|
|
|
|
## Simple summary
|
|
|
|
This proposal describes a way for DOM environments to expose an Ethereum provider API that requires user approval.
|
|
|
|
## Abstract
|
|
|
|
The previous generation of Ethereum-enabled DOM environments follows a pattern of directly injecting a provider object into the DOM without user consent. This exposes users of such environments to fingerprinting attacks since untrusted websites can check for the injected provider and reliably identify Ethereum-enabled clients.
|
|
|
|
This proposal outlines a protocol in which dapps request access to an Ethereum provider API.
|
|
|
|
## Specification
|
|
|
|
### Typical dapp initialization
|
|
|
|
```
|
|
START dapp
|
|
IF web3 is defined
|
|
CONTINUE dapp
|
|
IF web3 is undefined
|
|
STOP dapp
|
|
```
|
|
|
|
### Proposed dapp initialization
|
|
|
|
```
|
|
START dapp
|
|
REQUEST[1] Ethereum provider
|
|
IF user approves
|
|
INJECT[2] provider API
|
|
NOTIFY[3] dapp
|
|
CONTINUE dapp
|
|
IF user rejects
|
|
IF non-Ethereum environment
|
|
NOOP[4]
|
|
```
|
|
|
|
#### `[1] REQUEST`
|
|
|
|
Dapps MUST request an Ethereum provider API by sending a message using the [`window.postMessage`](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage) API. This message MUST be sent with a payload object containing a `type` property with a value of ETHEREUM_PROVIDER_REQUEST and an optional `id` property corresponding to an identifier of a specific wallet provider, such as "METAMASK".
|
|
|
|
#### `[2] INJECT`
|
|
|
|
Ethereum-enabled DOM environments MUST expose an Ethereum provider API as a global `ethereum` variable on the `window` object.
|
|
|
|
#### `[3] NOTIFY`
|
|
|
|
Ethereum-enabled DOM environments MUST notify dapps of successful provider API exposure by sending a message using the [`window.postMessage`](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage) API. This message MUST be sent with a payload object containing a `type` property with a value of ETHEREUM_PROVIDER_SUCCESS" and an optional `id` property corresponding to an identifier of a specific wallet provider, such as "METAMASK"
|
|
|
|
#### `[4] NOOP`
|
|
|
|
If a user rejects access to the Ethereum provider API on an untrusted site, the site itself MUST NOT be notified in any way; notification of a rejection would allow third-party tools to still identify that a client is Ethereum-enabled despite not being granted access to any provider API.
|
|
|
|
### Example implementation: `postMessage`
|
|
|
|
The following example demonstrates one possible implementation of this strategy in a browser-based DOM environment. Note that Ethereum-enabled environments on other platforms would most likely use platform-specific native messaging protocols, not `postMessage`.
|
|
|
|
```js
|
|
// Listen for provider API exposure
|
|
window.addEventListener('message', function (event) {
|
|
if (!event.data || !event.data.type) { return; }
|
|
if (event.data.type === 'ETHEREUM_PROVIDER_SUCCESS') {
|
|
// Provider API exposed, continue
|
|
const networkVersion = await ethereum.send('net_version', []);
|
|
console.log(networkVersion);
|
|
}
|
|
});
|
|
// Request Provider API
|
|
window.postMessage({ type: 'ETHEREUM_PROVIDER_REQUEST' });
|
|
```
|
|
|
|
## Rationale
|
|
|
|
The pattern of provider auto-injection followed by the previous generation of Ethereum-enabled DOM environements failed to protect user privacy by allowing untrusted websites to uniquely identify Ethereum users. This proposal establishes a new pattern wherein dapps must request access to an Ethereum provider API. This protocol directly prevents fingerprinting attacks by giving users the ability to reject provider exposure on a given website.
|
|
|
|
### Constraints
|
|
|
|
* A provider API MUST NOT be exposed to websites by default.
|
|
* Dapps MUST request a provider API if it does not exist.
|
|
* Users MUST be able to approve or reject provider API access.
|
|
* A provider API MUST be exposed to websites after user consent.
|
|
* Environments MAY continue auto-exposing a provider API if users can opt-out.
|
|
|
|
### Immediate value-add
|
|
|
|
* Users can reject provider API access on untrusted sites to prevent fingerprinting.
|
|
|
|
### Long-term value-add
|
|
|
|
* Dapps could request specific account information based on user consent.
|
|
* Dapps could request specific user information based on user consent (uPort, DIDs).
|
|
* Dapps could request a specific network based on user consent.
|
|
* Dapps could request multiple instances of the above based on user consent.
|
|
|
|
## Backwards compatibility
|
|
|
|
This proposal impacts dapp authors and requires that they request access to an Ethereum provider API before using it. This proposal also impacts developers of Ethereum-enabled environments or dapp browsers as these tools should no longer auto-expose any provider API; instead, they should only do so if a website requests a provider API and if the user consents to its access. Environments may continue to auto-expose an Ethereum provider API as long as users have the ability to disable this behavior.
|
|
|
|
## Implementation
|
|
|
|
The MetaMask team is currently working an [MVP implementation](https://github.com/MetaMask/metamask-extension/pull/4703) of the strategy described above and expects to begin limited user testing soon.
|
|
|
|
## Copyright
|
|
|
|
Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/).
|