search

dfinity / wg-identity-authentication

Repository of the Identity and Wallet Standards Working Group
https://wiki.internetcomputer.org/wiki/Identity_%26_Authentication
Apache License 2.0
26 stars 8 forks source link

ICRC-29: Switch from signer notification to polling #178

Closed frederikrothenberger closed 1 month ago

frederikrothenberger commented 1 month ago

By changing from the notification to polling, the signer no longer relies on the window.opener to be available to signal its readiness.

This is allows the signer window to redirect to other domains before signalling ready.

sea-snake commented 1 month ago

@frederikrothenberger

This is allows the signer window to redirect to other domains before signalling ready.

How would the relying party know that the incoming messages are coming from the correct window? Normally when a relying party opens a (popup) window for origin X you start listening for messages from origin X and send messages to origin X.

But if that window redirects from origin X to origin Y, how would the relying party know that it should listen and send messages to origin Y instead of X?

Sending messages without specifying the origin leaks the message to different origins (in case the window has navigated to a different origin) and listening to all messages without checking the origin is insecure since now any incoming window message is interpreted (including iframes).