We really should’ve listened to micah and used window.postMessage. I’m working on an iframe host for dapps and this would’ve been the best way to achieve this
1 Like
Not sure if this counts as a necropost, but I’ll chime in since it was brought up fairly recently.
The architecture I had in mind was:
-
a trusted domain with a wallet generation page
-
this page is embedded in other webapps using an iframe
-
apps can communicate with the iframe through the window.postMessage api to request a signature, triggering a visual request in the iframe
of course this has vulnerabilities where a third party could embed the iframe in some hidden way and manipulate the wallet, which we could mitigate by only allowing the iframe to be loaded from predefined trusted third party domains.
This implementation falls through because standard client libraries like viem do not implement ‘connect wallet’ this way, only working via window.ethereum and not window.postMessage.
I believe the limitation we ran into is that iframes cannot access the window api directly like this, only installed extensions can. This is a blocker to a cross-website wallet experience that does not require a chrome extension installed (or social login and a custodial wallet, which is not a solution for obvious reasons), at least using standard client libraries like ethers and viem.