Comments (1)
It's not clear to me what the question is here. Is the concern that we don't think session identifiers need to exist or that we don't believe they need to have cryptographic requirements around them?
There is a way that we could achieve the same security requirements by binding the session to the origin it's connected to and have the wallet maintain an internal mapping where it checks every session identifier is being used by the correct origin. Then the cryptographic requirements wouldn't be necessary since we'd achieve the security in a different way.
In theory this is actually a more secure design because these session identifiers are capability objects theoretically could be stolen to conduct a session hijacking attack to bypass permissions. The advantage to the cryptographic requirement though is that you can delegate the session permissions to a first/third party iframe which may be useful. In general, I've leaned towards not wanting to allow cross origin sharing of information because it can lead to cross origin tracking and other unexpected privacy and security violations, so maybe it's better that we don't actually use a cryptographic entropy requirement and instead require the wallet to maintain state connecting the origin to the session identifier?
from caips.
Related Issues (20)
- [CAIP-27] Corner-cases around accounts assumptions HOT 1
- Draft: Add CAIP-2 for edeXa blockchain
- User feedback: No way to address a NON-ASSET deployed smart contract in a namespaced way HOT 7
- User feedback: No way to address a specific transaction HOT 2
- [CAIP-122] Add guideline to match on `domain` term HOT 1
- How to refer to attestations as asset class? HOT 17
- fix github link on jekyll template
- [CAIP-122] Why only ASCII? HOT 4
- 168ff88295830ada21c45d828a6551bf57861568
- [CAIP-196] UCANs with header entries HOT 3
- [CAIP-196] Timestamp precision
- Problem rendering list of CAIPS required HOT 1
- register CAIP URI scheme with IANA?
- CAIP for domain/address resolution protocols list HOT 1
- Converting Scopes into ReCaps
- [CAIP-19] Assets versus Actors or Entities? HOT 1
- [Multichain] Has anyone seen ERC-4804-style URI schemes for non-EVM chains?
- Supporting multiple chains with CAIP-122 HOT 2
- Implementer Feedback: CAIP-122<>EIP-4361 mismatch HOT 12
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from caips.