Now we have to add a whole another encryption layer to communication as well, at the same time this encryption public key needs to be random, otherwise anyone would know the decryption key. Also the dapps needs to generate an encryption key as well to receive the communication. Now we have to define what is the proper encryption type …etc. I strongly believe we shouldn’t decide how the communication should be handled from dapp to extension, specially we dont know which new more secure ways would be introduced in the future.
Like I mentioned before iframe wallets are not a priority at least for me based on the issues which I outlined earlier.
WebRTC solution is where the extension acts as a webrtc server and dapps can connect to it. This is just an example on different ways to communicate which are way more secure than window.postMessage
For me this itself a huge vulnerability with window.postMessage
just imagine, you are on MEW and we decided to embed an iframe thinking it is safe however it turned out to be a bad actor, now the user will get a popup to sign a tx and since they are on MEW they thinks it is from MEW however, the tx is malicious
I think as an EIP our goal should be to standardize the methods which dapps needs to access to communicate rather than the actual communication protocol.