Comments (1)
It's not clear to me what the question is here. Is the concern that we don't think session identifiers need to exist or that we don't believe they need to have cryptographic requirements around them?
There is a way that we could achieve the same security requirements by binding the session to the origin it's connected to and have the wallet maintain an internal mapping where it checks every session identifier is being used by the correct origin. Then the cryptographic requirements wouldn't be necessary since we'd achieve the security in a different way.
In theory this is actually a more secure design because these session identifiers are capability objects theoretically could be stolen to conduct a session hijacking attack to bypass permissions. The advantage to the cryptographic requirement though is that you can delegate the session permissions to a first/third party iframe which may be useful. In general, I've leaned towards not wanting to allow cross origin sharing of information because it can lead to cross origin tracking and other unexpected privacy and security violations, so maybe it's better that we don't actually use a cryptographic entropy requirement and instead require the wallet to maintain state connecting the origin to the session identifier?
from caips.
Related Issues (20)
- CACAO v2/v3 confusion and varsig - are v3/varsig stale? HOT 1
- CAIP-122: address or account_id? HOT 2
- CAIP-2: chain ID alias HOT 2
- [CAIP-74] Signature Metadata type is not well defined HOT 1
- https://support.exodus.com/support/en/articles/8598833-walletconnect-in-exodus-mobile#qr-code کیف پول اکسود وس HOT 1
- 2
- 2
- [Publishing] Link to post-final updates, extensions, and proposed replaces from final CAIPs?
- [CAIP-275] - chain-specific resolution corner-case HOT 1
- Browser Wallet Messaging for Extensions (window.dispatchEvent)
- Browser Wallet Messaging for Iframes (window.postMessage)
- Browser Wallet Messaging for Extensions (externally_connectable)
- [CAIP-25] - Pass of editing to clarify "persistance" requirements on both sides
- [CAIP-25] - Refactor "requiredScopes" to suggest but not require connection breakage
- [tracking issue] `wallet_getSession` method needed for feature parity between legacy concurrent CAIP-25 and single-session CAIP-25 (see PR 285)
- [tracking issue] `wallet_revokeSession` method needed for feature parity between legacy concurrent CAIP-25 and single-session CAIP-25 (see PR 285)
- Ууу HOT 1
- [tracking issue] CAIP-25 in sessionId-mandatory mode and sessionId-optional CAIP-25 are confusing HOT 1
- [tracking issue] CAIP-25 needs a clearer definition of trust criterion for sharing informative error handling
- CAIP-104 rendering broken
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from caips.