Skip to content
This repository has been archived by the owner on May 10, 2024. It is now read-only.

Wallet: Only inject wallet provider in a secure context #5518

Closed
nuo-xu opened this issue Jun 13, 2022 · 2 comments · Fixed by #5522 or #5558
Closed

Wallet: Only inject wallet provider in a secure context #5518

nuo-xu opened this issue Jun 13, 2022 · 2 comments · Fixed by #5522 or #5558
Assignees
@nuo-xu
Labels
Epic: Brave Wallet QA Pass - iPad QA Pass - iPhone X QA Pass - iPhone QA/Yes release-notes/include
Milestone
1.40

Comments

@nuo-xu
Copy link
Contributor

nuo-xu commented Jun 13, 2022

Ref: Desktop/Android PR brave/brave-core#13739
Ref: https://github.com/brave/security/issues/887#issuecomment-1154447929

We want to inject wallet provider to a page that is secure and only have secure content.
@nuo-xu nuo-xu added this to the 1.40 milestone Jun 13, 2022
@nuo-xu nuo-xu added this to Web3 Jun 13, 2022
@nuo-xu nuo-xu self-assigned this Jun 14, 2022
@nuo-xu nuo-xu added the QA/Yes label Jun 14, 2022
@nuo-xu nuo-xu mentioned this issue Jun 14, 2022
Merged
7 tasks
nuo-xu added a commit that referenced this issue Jun 16, 2022
@nuo-xu
Fix #5518 : Only inject provider for secure context (#5522)
12ae8ad
@nuo-xu nuo-xu moved this to Done in Web3 Jun 16, 2022
@StephenHeaps
Copy link
Contributor

Re-opening to handle treating a page that has loaded mixed-content as insecure and rejecting dapp requests.

ref: https://github.com/brave/security/issues/887#issuecomment-1162409406

@StephenHeaps StephenHeaps reopened this Jun 22, 2022
@StephenHeaps StephenHeaps mentioned this issue Jun 22, 2022
Merged
7 tasks
StephenHeaps added a commit that referenced this issue Jun 22, 2022
@StephenHeaps
Fix #5518: Reject dapp requests from mixed-content pages (#5558)
136bb44 
* Fixed mixed-content validation + missing error handler
* Only check against `hasOnlySecureContent` when not local. Don't reply when request is invalid.
Co-authored-by: Brandon T <[email protected]>
soner-yuksel pushed a commit that referenced this issue Jun 22, 2022
@nuo-xu @soner-yuksel
Fix #5518 : Only inject provider for secure context (#5522)
dde2642
soner-yuksel pushed a commit that referenced this issue Jun 22, 2022
@StephenHeaps @soner-yuksel
Fix #5518: Reject dapp requests from mixed-content pages (#5558)
cf03449 
* Fixed mixed-content validation + missing error handler
* Only check against `hasOnlySecureContent` when not local. Don't reply when request is invalid.
Co-authored-by: Brandon T <[email protected]>
@srirambv
Copy link
Contributor

Verification passed on iPhone 7+ with iOS 14.8.1 running 1.40 (22.6.24.14)

  • Verified steps from #5522 / #5558
  • Verified able to connect to a Dapp which is available over secure connection
  • Verified unable to trigger Dapp connection over http. (Used eth manual test page via proxy and couldn't trigger dapp connection notification)

Verification passed on iPhone XR with iOS 15.6 running 1.40 (22.6.24.14)

  • Verified steps from #5522 / #5558
  • Verified able to connect to a Dapp which is available over secure connection
  • Verified unable to trigger Dapp connection over http. (Used eth manual test page via proxy and couldn't trigger dapp connection notification)

Verification passed on iPad Pro with iOS 15.6 Beta running 1.40 (22.6.24.14)

  • Verified steps from #5522 / #5558
  • Verified able to connect to a Dapp which is available over secure connection
  • Verified unable to trigger Dapp connection over http. (Used eth manual test page via proxy and couldn't trigger dapp connection notification)

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@nuo-xu nuo-xu

Labels
Epic: Brave Wallet QA Pass - iPad QA Pass - iPhone X QA Pass - iPhone QA/Yes release-notes/include
Projects
Web3
Archived in project
Milestone
1.40
3 participants
@nuo-xu @StephenHeaps @srirambv