Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
EIP-1102: Opt-in provider access #4703
This pull request includes a fully-updated EIP-1102 implementation:
Note: This pull request depends on MetaMask/eth-json-rpc-middleware#5.
Required next steps
Example detection code
Cached domain approval
For sites that currently rely on web3:
This looks great. I added a few comments, none very blocking (although restoring e2e tests is important).
The biggest thing for me that we need to do is decisively agree on when to cut over to this. I suspect we need some of the strongest dapp-dev communication we've ever employed for this, because it will instantly break every dapp out there until they add at least one line of JS to their code.
The good news is this one line is so easy. We should tweet it out. We should get people adding it to their dapps ASAP.
@danfinlay thanks for the review. I took care of all feedback except for adding the titlebar to the approval popup window. Since the popup isn't network-specific, the main function of the titlebar would only be to hold a logo. I agree that a logo would help inform users, but I feel that we should stay consistent with how we also brand transaction approval popups (at least for this PR.)
Updates to this PR:
What this PR means to dapps:
This is going to be a jarring change for dapp developers. MetaMask and other Ethereum-enabled DOM environments are unique in that it's difficult to version changes: extensions (and desktop applications) are usually evergreen, meaning that once a feature is released, downstream users can't selectively pick up that feature as they could if this were, say, an NPM module that could be versioned as downstream projects see fit. Still, it's an extremely necessary change for security purposes. I feel that a sufficient explanation, hand-holding via example code, a lengthy grace period, and buy-in from other dapp browsers will go a long way with our active developer base. I'm happy to author the relevant blog post(s) and to spread awareness throughout the community.
Edit: Ah, forgot e2e tests. Need to trigger
9 times, most recently
Jul 10, 2018
referenced this pull request
Nov 5, 2018
@Grsmto It would also be nice to see the blog post linked to from the console warning updated. The current released version doesn't even have the privacy mode option to ease testing, and the public statements still remain that instead of a phased roll-out it'll be an all-of-a-sudden change applying to everyone by default, to take effect on a now-passed date.
I've already heard some devs say that their dapp is continuing to function fine well after that announced change date, so they must be done and not have anything more to worry about (moving on to the next order of business now...) when the dapp is definitely NOT ready. Updating the blog post with a revised timeline or note that it's on indefinite hold, and noting that once the privacy mode setting is released it'll be off by default for a while to permit dapp changes and testing (hoping that's true!) would be very helpful. Also, devs who did integrate the needed changes early are getting burned by last-minute breaking changes in the breaking change, underscoring the incentive to wait until MetaMask has decided and implemented how this new behavior will work.
Bug in latest build:
Metamask state: Locked, Privacy mode OFF
My understanding is that this screen should not be seen if the user has not opted in.
@bdresser When Privacy Mode is added as an option, is it going to be on by default (per description in the public blog post) or off by default (per responses to @hayesgm above) to allow developers to adapt their dapps based on what the actual implementation is, as the adaptation actually needed has apparently been changing quickly within the past few days?
I would highly recommend updating the blog post about what's happening, without waiting for the PR to be merged!
Thanks for supporting better privacy.
referenced this pull request
Nov 5, 2018
@wbt the blog post states
The wording in the subtitle could have been misinterpreted; I've updated it to clarify
@bdresser As far as what I'm seeing, the subtitle says, emphasis added: