DanielSinclair
commented
2 months ago Hi @stephancill. Thank you for highlighting this. We currently don't inject our provider into iframes because of known vulnerabilities with this approach that wallets have experienced in the past. But we are reevaluating and discussing to see if there is a better approach given your valid usecase.
I have a few recommendations of a better way to approach this:
- Use EIP-6963 and inject mipd into the page directly (i.e. x.com)
- Pass messages to and from your iframes, inpage script, and background script to maintain a singular provider instance
- Require only one connection approval from the user. In the Farcaster world, you're essentially putting trust in Farcaster to forward frame transactions. You should follow this model within your extension, and only ask the user to approve one dApp connection approval
- Prepare transactions on the client-side. With Frames or Blinks, you typically wouldn't need to interact with
windowdirectly. Rather your Frame would return a prepared transaction at an endpoint, and Farcaster or Blinks would forward this transaction to the wallet. You would want to maintain this for compatibility; otherwise the frames would work with Frames.fun, but not Farcaster, and vice versa.
We're working on frames.fun, which adds farcaster frames to X using iframes - for some reason
window.ethereumis not available in the added iframes we add to the page whereas metamask is.Do you have any ideas around why this could be the case?
Maybe the content script load isn't triggered multiple times due to some deduplication by tab?
Happy to provide more details/repro if nothing comes to mind