Skip to content

Browser extension provider communication #348

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 25 commits into
base: main
Choose a base branch
from
Open

Browser extension provider communication #348

wants to merge 25 commits into from

Conversation

@jiexi
Copy link
Contributor

@jiexi jiexi commented Apr 10, 2025

This CAIP discusses the motivation, specification, and rationale for a proposal aimed at improving how web extension wallets interact with websites. It outlines the current method of injecting JavaScript provider APIs into websites, its advantages, and its numerous disadvantages, such as security concerns, performance issues, and the risk of breaking websites. An alternative strategy is proposed that specifies a standard communication specification over a new transport layer which enables websites to be able to embed their own provider as a library, addressing the disadvantages of injecting providers into websites and improving web extension interoperability as a whole.

jiexi and others added 22 commits April 23, 2024 14:19
@jiexi
Fork @Gudahtt 's proposal
db1b0eb
@jiexi
WIP
b96b182
@jiexi
fleshing caip out more
240ed2a
@jiexi
Rationale. Add missing sections
c609592
@jiexi
Security and Privacy
79f777c
@jiexi
remove json-rpc providers from summary. update abstract
6641dd4
@jiexi @adonesky1
Update caip-browser_extension_provider_communication.md
6fad470 
Co-authored-by: Alex Donesky <alex.donesky@consensys.net>
@jiexi @adonesky1
Update caip-browser_extension_provider_communication.md
c0e298c 
Co-authored-by: Alex Donesky <alex.donesky@consensys.net>
@jiexi @adonesky1
Update caip-browser_extension_provider_communication.md
6396b51 
Co-authored-by: Alex Donesky <alex.donesky@consensys.net>
@jiexi
update injecting code breakage text
518c27e
@jiexi
Merge remote-tracking branch 'origin/browser-extension-provider-commu…
e46a901 
…nication' into browser-extension-provider-communication
@jiexi @adonesky1
Update caip-browser_extension_provider_communication.md
1cff079 
Co-authored-by: Alex Donesky <alex.donesky@consensys.net>
@jiexi
Update firefox caveat. Remove different extension id text
e7a8390
@jiexi
reword 'no safely make breaking changes' text
a2c083a
@jiexi
use 'inpage injected providers' in summary and abstract
4205dc5
@jiexi
Update simple summary and abstract
5f093b1
@jiexi @adonesky1
Update caip-browser_extension_provider_communication.md
1ac953f 
Co-authored-by: Alex Donesky <alex.donesky@consensys.net>
@jiexi @adonesky1
Update caip-browser_extension_provider_communication.md
0136d89 
Co-authored-by: Alex Donesky <alex.donesky@consensys.net>
@jiexi
Remove message format todo
fea1505
@jiexi
Merge remote-tracking branch 'origin/browser-extension-provider-commu…
54b6041 
…nication' into browser-extension-provider-communication
@jiexi
update json schema
6d14374
@jiexi
add privacy fingerprint considerations
649f856
@jiexi
Copy link
Contributor Author

jiexi commented Apr 10, 2025
edited
Loading

WIP. I still need to address comments in the old PR here. Opening this now to secure a caip number since we have need for this in our implementation we will soon be exposing publicly

bumblefudge
bumblefudge reviewed Apr 11, 2025
View reviewed changes
caip-browser_extension_provider_communication.md Outdated

## Security Considerations
<!--Please add an explicit list of intra-actor assumptions and known risk factors if applicable. Any normative definition of an interface requires these to be implementable; assumptions and risks should be at both individual interaction/use-case scale and systemically, should the interface specified gain ecosystem-namespace adoption. -->
`externally_connectable` has seen a decade of usage via extensions on Chrome. It has a strictly better security when compared to postMessage over contentscript.
Copy link
Collaborator

@bumblefudge bumblefudge Apr 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
`externally_connectable` has seen a decade of usage via extensions on Chrome. It has a strictly better security when compared to postMessage over contentscript.
`externally_connectable` has seen a decade of usage via extensions on Chrome. It has strictly better security properties when compared to `postMessage` over content scripts.

This was referenced Apr 15, 2025
Merged
Merged
Merged
jiexi added a commit to MetaMask/test-dapp-multichain that referenced this pull request Apr 16, 2025
@jiexi
feat: Replace caip-x with caip-348 (#53)
e4b7c49 
Replace `caip-x` with `caip-348`

See: ChainAgnostic/CAIPs#348
See: MetaMask/metamask-extension#32070
@bumblefudge
Copy link
Collaborator

bumblefudge commented Jun 2, 2025

@jiexi Should this be merged into #341 ? It seems like they're complementary, to some degree; if you want to keep them as two distinct documents, maybe this one should be informational and that one should be normative (might require moving some stuff over there)

bumblefudge
bumblefudge reviewed Jun 9, 2025
View reviewed changes
caip-browser_extension_provider_communication.md
While web extensions could realize the benefits of `externally_connectable` without using it with a standardized interface, this would mean that every web extension would have to ship a provider library that worked specifically for their interface and that Dapps would need to import them. It wouldn't be feasible for Dapps to import every single web extension's specific provider implementation, making this approach less viable.

Web extension inter-operability is the key to enabling generalized provider implementations. Generalized provider implementations allows for convenient adoption by Dapps, leading to more wide spread adoption of the standard as a result.

Copy link
Collaborator

@bumblefudge bumblefudge Jun 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

reminder: maybe mention other uses of the transport being possible?

bumblefudge
bumblefudge reviewed Jul 30, 2025
View reviewed changes
@pedrouid
Copy link
Member

pedrouid commented Oct 8, 2025

Shouldnt this be closed in favor of the recently merged #282

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bumblefudge bumblefudge bumblefudge left review comments

+2 more reviewers

@adonesky1 adonesky1 adonesky1 left review comments

@octavio12345300 octavio12345300 octavio12345300 approved these changes

Reviewers whose approvals may not affect merge requirements

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@jiexi @bumblefudge @pedrouid @adonesky1 @octavio12345300