-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: Browser external application alert on trusted deeplink protocols #6742
Conversation
allow the OS to deeplink trusted protocols such as `wc:` and `metamask:`
CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes. |
Hey @sethkfman @NicholasEllul would love your thoughts on this approach |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall no concerns with this. However, do we have documentation anywhere that highlights the use-cases for each deeplink protocol? Is there a reason these sites deeplink into MetaMask rather than interact with the in-page provider?
@jpcloureiro The purpose of the alert box is to make sure users are aware that the navigation is coming from an external source. I think it make sense to add wc:// because the user is actively initiating that connection. The other protocols metamask:// & dapps:// can be triggered outside of a secure session and should be confirmed by the user. WDYT? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Aside from
Dapps should always use the in-page provider when available. In the event of dapps not detecting / using the in-page provider, we want to support other forms of communication so we don't leave the dapp user in the dark. (for example, Uniswap does not detect in-page provider, using in-app browser on Android) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is QA passed 👍
Kudos, SonarCloud Quality Gate passed! |
Development & PR Process
release-xx
label to identify the PR slated for a upcoming release (will be used in release discussion)needs-dev-review
label when work is completedneeds-qa
label when dev review is completedQA Passed
label when QA has signed offDescription
With the introduction of Improve deeplinks experience feature, all URI are intercepted & matched with an allowlist.
URIs with protocols on this allowlist are opened by in-app browser with no restriction.
All protocols not present in this allowlist will trigger an alert box that prompts the user to allow or ignore the action.
When the user allows, this URI is forwarded to the OS deep-link handler.
We've seen this alert box might disrupt the user experience when specific deeplink protocols are used, such as
wc://...
ormetamask://...
In order to improve such user experience, we have created a list of
trusted deeplink protocols
where these URI won't be opened by in-app browser but won't prompt the user to allow or reject, being automatically redirected to the OS deeplink handler.This changes the old behavior described here
Issue
Progresses # https://github.com/MetaMask/mobile-planning/issues/779
Checklist