-
Notifications
You must be signed in to change notification settings - Fork 325
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Refine security and UX constraints for window.ipfs #454
Comments
I have a question about UX. Is there a supported way for an app to pre-emptively request permissions? Say an app Test it out: I think a better UX could be to provide a mechanism for pre-emptively asking for a group of permissions. Solutions that come to mind are like those that mobile app stores provide for apps (Apple's below). I don't know how far it's possible to go with Browser That's a bit of a bummer but it also allows us to build a better permissions experience on top of it, like adding options for |
This is a very good insight. Yes, replacing one-dialog-per-api-method with one-dialog-per-scope would improve UX a lot, but it comes with a price tag attached. The problem with a mechanism for preemptively asking for a group of permissions is that it means an app (app developer) needs to provide some kind of manifest beforehand, and window.ipfs proxy has to take care of parsing that manifest before app executes any real IPFS API calls. To implement it, we would end up with something along these lines:
It should be optional thing, meaning if app does not register manifest, it will still work as it does right now (a separate dialog for every API method it calls for the first time). I don't like the smell of fake API, but as long we put it behind something like |
(posing some updated notes that expand on the topic and provide basis for further discussion) Exposing IPFS API on-demand in fingerprint-resistant wayAfter some time in the wild, we've identified some challenges that come with injecting
We are thinking about characteristics of better schemes for exposing the IPFS API:
A relevant scheme proposed by @Gozala:
Open problem with on-demand/await approach
|
Highly relevant development on
Not a big surprise, we've been thinking about doing something similar in this very issue. This means Note to self: MetaMask and IPFS are often used one the same websites. To make things easier for web developers, we should try to follow conventions established by their implementation of |
Thank you all for the feedback about window.ipfs. We've gathered all the suggestions and now have a much better idea what could be improved. We are going to make it much better in Q4. Future improvements and "window.ipfs 2.0" ideas from my previous comment |
(This is a continuation of endeavor to expose IPFS API as window.ipfs, started in #330)
IPFS Companion v2.2.0 shipped with
window.ipfs
enabled by default.It has access controls in place, but is time to refine it it both in terms of UX (not nagging user when we can sandbox/scope instead) and security (sniffing/spoofing/fingerprinting).
Feel free to provide general feedback in this issue, we will extract specifics when needed.
Tasks
It could be just a section in
window.ipfs.md
. The goal is to have a set of guidelines, our 'rule of thumb' to follow when a new API is added. Should simplify decisions such as: should API X be exposed underwindow.ipfs
? does it require sandboxing/chroot?window.ipfs
(Firefox only)(Prevent websites from knowing I have IPFS running in my browser) Enabling users to remove
window.ipfs
attribute #451Open Questions
The text was updated successfully, but these errors were encountered: