Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create providers only in secure contexts #23407

Closed
bbondy opened this issue Jun 10, 2022 · 4 comments · Fixed by brave/brave-core#13739
Closed

Create providers only in secure contexts #23407

bbondy opened this issue Jun 10, 2022 · 4 comments · Fixed by brave/brave-core#13739
Assignees
@bbondy
Labels
feature/web3/wallet Integrating Ethereum+ wallet support OS/Android Fixes related to Android browser functionality OS/Desktop priority/P2 A bad problem. We might uplift this to the next planned release. QA Pass - Android ARM QA Pass - Android Tab QA Pass-Linux QA Pass-macOS QA Pass-Win64 QA/Yes release-notes/include security
Milestone
1.40.x - Release

Comments

@bbondy
Copy link
Member

bbondy commented Jun 10, 2022

Only define window.ethereum and window.solana in a secure context.
I.e. only for pages with window.isSecureContext

This includes 127.0.0.1, localhost, and https sites.
But not URLs like http://a.com
@bbondy bbondy added OS/Android Fixes related to Android browser functionality OS/Desktop labels Jun 10, 2022
@bbondy bbondy self-assigned this Jun 10, 2022
@bbondy bbondy added QA/Yes release-notes/include priority/P2 A bad problem. We might uplift this to the next planned release. security labels Jun 10, 2022
@bbondy bbondy mentioned this issue Jun 10, 2022
Merged
25 tasks
@verdihatorou
Copy link

Tanks information

@bbondy bbondy added this to the 1.41.x - Nightly milestone Jun 13, 2022
@bbondy bbondy mentioned this issue Jun 13, 2022
Merged
25 tasks
@LaurenWags LaurenWags added the feature/web3/wallet Integrating Ethereum+ wallet support label Jun 14, 2022
@kjozwiak
Copy link
Member

The above will require 1.40.99 or higher for 1.40.x verification 👍

@srirambv
Copy link
Contributor

srirambv commented Jun 15, 2022
edited
Loading

Brave 1.40.99 Chromium: 102.0.5005.125 (Official Build) beta (64-bit)
Revision 07573b09e385116e620ed12d5ef2402c4bfa929f-refs/branch-heads/5005@{#1159}
OS ☑️ Linux ☑️ Windows 11 Version 21H2
(Build 22000.708) 		☑️ macOS Version 12.0.1
(Build 21C52)
  • Verified steps from brave/brave-core#13739
  • Verified window.ethereum & window.solana is available for secure contexts including 127.0.0.1, localhost, and https sites.
  • Verified window.ethereum & window.solana is not available for insecure links like http://a.com/
23407-Linux.mp4
23407-Windows.mp4
23407-macOS.mov

@srirambv
Copy link
Contributor

Verification passed on the following devices running 1.40.101 x64 build

  • Verified window.ethereum is available only for https contexts

Oppo Reno 5 (Android 12)

HTTPS HTTP
image image

Samsung Tab A (Android 10)

HTTPS HTTP
image image

This was referenced Jun 21, 2022
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bbondy bbondy

Labels
feature/web3/wallet Integrating Ethereum+ wallet support OS/Android Fixes related to Android browser functionality OS/Desktop priority/P2 A bad problem. We might uplift this to the next planned release. QA Pass - Android ARM QA Pass - Android Tab QA Pass-Linux QA Pass-macOS QA Pass-Win64 QA/Yes release-notes/include security
Projects
Web3
Archived in project
Milestone
1.40.x - Release
Development

Successfully merging a pull request may close this issue.

Create Dapp providers only in secure contexts brave/brave-core
5 participants
@bbondy @kjozwiak @srirambv @LaurenWags @verdihatorou