Update EIP-5593: resolve MUST/SHOULD contradiction for third-party iframe blocking #10801
Conversation
github-actions
bot
added
c-update
File
|
eth-bot
changed the title
| - By default the Ethereum Provider APIs MUST NOT be exposed to third-party iframes. | ||
| - `window.ethereum` MUST be `undefined` in an iframe where `window.isSecureContext` returns `false` in that iframe. | ||
| - If the iframe is a third party to the top-level secure origin, it SHOULD be blocked. | ||
| - If the iframe is a third party to the top-level secure origin, it MUST be blocked. |
There was a problem hiding this comment.
This is defined as SHOULD rather than MUST because not all wallets were enforcing this.
I don't have an issue with this, but it's updating the document in a way that doesn't reflect reality. Also, it might be an issue for smart wallets, so that should be weighed here.
| - If the iframe is a third party to the top-level secure origin, it MUST be blocked. | ||
| - If the iframe is first-party to the top-level origin AND the `sandbox` attribute is set on the iframe, the provider object MUST be blocked. If the `sandbox` attribute is set to `sandbox="allow-same-origin"` it MUST be injected for a first party frame. | ||
| - Note `"allow-same-origin"` does nothing if the iframe is third-party. The case of the third party iframe is dictated by the usage of the `allow` attribute and the Permissions API as defined in the rule above. | ||
| - Note `"allow-same-origin"` does nothing if the iframe is third-party. Third-party iframes MUST be blocked regardless of the `sandbox` attribute or any other configuration. |
There was a problem hiding this comment.
This would make Brave's implementation non-compliant which the whole point of the EIP was to document this sandbox behavior.
The page has the ability to request usage of this via the attribute in Brave and then the user can grant or deny the permission using the permissions prompt.
I'm not sure how other wallets would handle this though.
|
EIP authors need to first take a call on this |
4 participants
Clarifies that third-party iframes MUST be blocked (not SHOULD) to align with the MUST NOT requirement for default exposure.
Removes ambiguous reference to Permissions API and allow attribute mechanism that was never fully specified, replacing it with explicit blocking requirement regardless of configuration.