Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

It's not clear to me what the question is here. Is the concern that we don't think session identifiers need to exist or that we don't believe they need to have cryptographic requirements around them? #1

Open
Duke-1y opened this issue Jul 20, 2023 · 0 comments

Comments

@Duke-1y
Copy link
Owner

Duke-1y commented Jul 20, 2023

It's not clear to me what the question is here. Is the concern that we don't think session identifiers need to exist or that we don't believe they need to have cryptographic requirements around them?

There is a way that we could achieve the same security requirements by binding the session to the origin it's connected to and have the wallet maintain an internal mapping where it checks every session identifier is being used by the correct origin. Then the cryptographic requirements wouldn't be necessary since we'd achieve the security in a different way.

In theory this is actually a more secure design because these session identifiers are capability objects theoretically could be stolen to conduct a session hijacking attack to bypass permissions. The advantage to the cryptographic requirement though is that you can delegate the session permissions to a first/third party iframe which may be useful. In general, I've leaned towards not wanting to allow cross origin sharing of information because it can lead to cross origin tracking and other unexpected privacy and security violations, so maybe it's better that we don't actually use a cryptographic entropy requirement and instead require the wallet to maintain state connecting the origin to the session identifier?

Originally posted by @kdenhartog in ChainAgnostic/CAIPs#228 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant