Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add documentation for Ethereum and Solana feature policies #62

Merged
merged 2 commits into from
Jul 4, 2022
Merged

Add documentation for Ethereum and Solana feature policies #62

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
93ee5e8
Add documentation for Ethereum and Solana feature policies
bbondy Jun 29, 2022
35c49a6
Link to provider availability from overview
bbondy Jun 30, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 8 additions & 8 deletions docs/default-wallet.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,18 +1,18 @@
---
sidebar_position: 3
sidebar_position: 5
---

# Default Wallet setting

Dapps work by communicating with a special object that Brave Wallet and extensions like MetaMask provide named `window.ethereum`.
Only one wallet can provide `window.ethereum` to websites.
In Brave, we expose a setting in `brave://settings/wallet` to be able to change which wallet provides `window.ethereum`.
We expose a setting in `brave://settings/wallet` to control how Brave makes the provider objects available (`window.ethereum` and `window.braveSolana` and its alias `window.solana`)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the first time I've seen window.braveSolana. What's the motivation for moving this and keeping the alias or was it always like this in the first place?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is somewhat recent but not related to security. To get in Solana's wallet adapter repo they would not accept window.solana so we needed to rename to window.braveSolana and we retain an alias to that of window.solana for now.

anza-xyz/wallet-adapter#445 (comment)

Copy link
Member

@kdenhartog kdenhartog Jun 30, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for linking to that thread, it's not fully clear to me about their motivations but it's excellent context for me if the conversation comes up again in the future and I need to reference back to it in order to find out more.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep! Apologies for not highlighting that to you earlier.


Since extensions sometimes also provide these objects, this setting will help decide which wallet handles these objects.

Here's a description of each setting:
- Brave Wallet (Prefer extensions) - This is the default. Brave Wallet will expose `window.ethereum` but allow other extensions such as MetaMask to overwrite it.
- Brave Wallet - Exposes `window.ethereum` and prevents sites and extensions from changing `window.ethereum`.
- Crypto Wallets (Deprecated) - Gives access to the old deprecated wallet. This option is not compatible with other extensions such as MetaMask.
- None - `window.ethereum` will not be provided by Brave Wallet at all. If you have enabled an extension such as MetaMask, it is free to use `window.ethereum`.
- `Brave Wallet (Prefer extensions)` - This is the default. Brave Wallet will expose `window.ethereum` and `window.braveSolana` but allow other extensions such as MetaMask to overwrite it.
- `Brave Wallet` - Exposes `window.ethereum` and `window.braveSolana` and prevents sites and extensions from changing them.
- `Crypto Wallets (Deprecated)` - Gives access to the old deprecated wallet. This option is not compatible with other extensions such as MetaMask.
- `None` - `window.ethereum` and `window.braveSolana` will not be provided by Brave Wallet at all. If you have enabled an extension such as MetaMask, it is free to use the provider object.

After changing the default wallet, it is best to restart your browser. Why?
- If you had Crypto Wallets loaded, it won't be unloaded until the next restart. When Crypto Wallets is loaded it will not work properly with other extensions trying to access `window.ethereum`.
Expand Down
2 changes: 1 addition & 1 deletion docs/ethereum/_category_.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
{
"label": "Ethereum",
"position": 4
"position": 5
}
3 changes: 2 additions & 1 deletion docs/ethereum/overview.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,8 @@ slug: /ethereum

# Overview

Brave injects a `windows.ethereum` provider object on all pages.
Brave injects a `windows.ethereum` provider object on secure sites [in these cases](/provider-availability).

This object is defined by [EIP-1193](https://eips.ethereum.org/EIPS/eip-1193).

The in-page provider will not be provided by Brave in private and Tor window.
Expand Down
58 changes: 58 additions & 0 deletions docs/provider-availability.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
---
sidebar_position: 3
---

# Restrictions for providers
The provider objects (e.g. `window.ethereum` and `window.braveSolana`) are not provided in all contexts.

Historically the web has had a notion of “powerful" APIs like geolocation and camera/microphone, which are subject to additional security restrictions. See for instance https://www.w3.org/TR/secure-contexts/.

Because they allow websites to request access to user funds, new web3 APIs like `window.ethereum` and `window.braveSolana` are subject to the same restrictions as other powerful APIs like `geolocation` in Brave.
As a rule of thumb, if a context is not allowed to request access to geolocation, `window.ethereum` and `window.braveSolana` are `undefined` in the same contexts.

Provider objects are not accessible in private and Tor window.


## Restrictions for insecure contexts

Only “secure origins" as defined in https://www.chromium.org/Home/chromium-security/prefer-secure-origins-for-powerful-new-features/#definitions have access to `window.ethereum` and `window.braveSolana`.
This can be checked using `window.isSecureContext`, including inside iframes.
Secure contexts include sites that are served from HTTPS but also HTTP `localhost`.

## Restrictions in iframes

By default the provider objects are not exposed to 3p iframes.
Brave exposes 2 new [feature policies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy) for Ethereum and Solana named `ethereum` and `solana` respectively.

`window.ethereum` and `window.braveSolana` are blocked in an iframe if `window.isSecureContext` is `false` in that iframe.

In addition:

1. If the iframe is third party to the top-level origin, it will be blocked UNLESS the iframe has the `allow="{solana/ethereum}"` attribute (where “solana" and “ethereum" values control the corresponding API permissions).
2. If the iframe is first party to the top-level origin AND the `sandbox` attribute is set on the iframe, it will be blocked UNLESS `sandbox="allow-same-origin"` is set. Note "allow-same-origin"` does nothing if the iframe is third-party.
3. For security-conscious users, we add a setting to block window.{ethereum,solana} in ALL iframes, regardless of origin or attributes. This matches the default behavior on iOS.

### iOS
Currently on iOS, `window.ethereum` and `window.braveSolana` are both undefined in all iframes.

## Example cases

In all these cases, the `window.ethereum` or `window.braveSolana` request is coming from the innermost iframe.
bbondy marked this conversation as resolved.
Show resolved Hide resolved
- Top level `http://a.com` -> blocked (insecure)
- Top level `https://a.com` -> allowed
- Top level `https://a.com` with `<iframe src="http://a.com/">` -> blocked (insecure/3p)
- Top level `http://a.com` with `<iframe src="https://a.com/">` -> blocked (insecure/3p)
- Top level `https://a.com` with `<iframe src="https://a.com">` -> allowed
- Top level `https://a.com` with `<iframe src="https://b.com">` -> blocked (3p)
- Top level `https://b.com` with `<iframe src="http://a.com/">` with `<iframe src="https://b.com">` -> blocked (insecure)
- Top level `https://b.com` with `<iframe src="https://a.com">` with `<iframe src="https://b.com">` -> blocked (3p)
- Top level `https://a.com` with `<iframe src="https://b.a.com">` -> blocked (3p)
- Top level `https://a.com` with `<iframe src="https://b.a.com" allow="ethereum">` -> ethereum allowed, solana blocked
- Top level `https://a.com` with `<iframe src="https://b.com" allow="ethereum">` -> ethereum allowed, solana blocked
- Top level `https://a.com` with `<iframe src="https://b.a.com" allow="ethereum; solana">` -> ethereum allowed, solana allowed
- Top level `https://a.com` with `<iframe src="https://a.com" sandbox>` -> blocked (sandbox)
- Top level `https://a.com` with `<iframe src="https://a.com" sandbox="allow-same-origin allow-scripts">` -> allowed (but note this case is discouraged in https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#attr-sandbox because it’d allow the iframe to remove its own sandbox attribute)
- Top level `data://foo with <iframe src="data://bar">` -> blocked (insecure)
- Top level `file://foo with <iframe src="file://bar">` -> blocked (3p)
- Top level `https://a.com` with `<iframe src="https://b.com" sandbox="allow-same-origin allow-scripts">` -> blocked (3p)
- Top level `https://a.com` with `<iframe src="https://b.com" sandbox="allow-scripts" allow="ethereum; solana">` -> ethereum allowed, solana allowed
9 changes: 9 additions & 0 deletions docs/provider-objects.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
---
sidebar_position: 2
---

# Provider objects

Dapps work by communicating with a special object named a provider object exposed to websites.
- For Ethereum that object is `window.ethereum`.
- For Solana that object is `window.braveSolana` (`window.solana` is an alias).
2 changes: 1 addition & 1 deletion docs/solana/_category_.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
{
"label": "Solana",
"position": 5
"position": 6
}
5 changes: 2 additions & 3 deletions docs/solana/overview.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,9 +10,8 @@ Brave creates Ed25519 keypairs following
derivation path `m/44'/501'/{index}'/0'` for each accounts in
[BIP44](https://github.com/bitcoin/bips/blob/master/bip-0044.mediawiki)

Brave injects a `window.braveSolana` provider object on all pages. However it will
not be accessible in private and Tor window. Alias `window.solana` is kept for
compatibility.
Brave injects a `window.braveSolana` provider object on secure sites [in these cases](/provider-availability).
Alias `window.solana` is kept for compatibility.

dApps can use this provider object to:
- Request user permission to share public key (Establish a connection)
Expand Down