search

penumbra-zone / web

Apache License 2.0
12 stars 14 forks source link

Token icons leak balances #639

Open grod220 opened 5 months ago

grod220 commented 5 months ago

Currently our asset registry has entries with icon urls from github. That means, when loaded in the web app, it leaks to github what user balances are.

At extension build time, we should download these SVGs, sanitize them for any scripts, and store them locally. Then the frontend can load them directly from the extension.

See: https://github.com/penumbra-zone/web/issues/392

Alternative from @turbocrime, make them data uri blobs: https://discord.com/channels/824484045370818580/1044457038886998137/1212847319909662720

turbocrime commented 5 months ago

we should likely bundle all icons into the extension, this probably takes about 12MB given approach in #392 of crushing all icons to 100x100png

it may be desirable to dynamically acquire unknown icons at runtime, but this would unavoidably leak interest in the asset

turbocrime commented 5 months ago

for serving from the extension we could

1) serve icons via web accessible resources. these must be declared in the manifest. there are about 1000 icons so this might be undesirable

2) serve icons via rpc in data uri. this requires no spec change, but now we're serving base64 image blobs in rpc. in this situation, icons should probably live as files in the extension that are blobbed at runtime.

turbocrime commented 5 months ago

we could probably have a new web package with a script to convert the icons present in the cosmos registry, and then submodule the cosmos registry or git-lfs the script output.

jessepinho commented 4 months ago

We could:

  1. Install https://github.com/cosmos/chain-registry as a Git-based (rather than npm.org-based) package.json dependency.
  2. Agree that we only ever use SVGs — not PNGs, etc. This makes their use more flexible, and reduces file size.
  3. Use e.g., SVGR to allow direct imports of SVGs as React components.
  4. Thereby bundle all icons we use into the repo (probably via a barrel import).
turbocrime commented 4 months ago

Agree that we only ever use SVGs — not PNGs, etc. This makes their use more flexible, and reduces file size.

in practice this is not true for the set of icons in the registry.

also, we use a very limited number of small icon sizes, and these will get served as blob in rpc anyway. prerendering png should be fine.

turbocrime commented 4 months ago
  1. Thereby bundle all icons we use into the repo (probably via a barrel import).

using svg icons in barrel import would bundle dozens of mb

jessepinho commented 4 months ago

@turbocrime

in practice this is not true for the set of icons in the registry.

What's not true? That it reduces file size?

serve icons via rpc in data uri

Just saw this comment above — this seems like a great approach.

jessepinho commented 3 months ago

This can be closed now that we're building an asset registry, right? (Assuming the asset registry contains base64-encoded icons?)

grod220 commented 3 months ago

The asset registry will contain links to all the assets. So this issue is still relevant. I'll drag this in as this relates to my ongoing work with the registry.

We'll need prax to download the assets and replace those external links with internal ones pointing to the local assets in the extension.