The setup:
Web developer Bob wants to build a web game using web standards, and Bob doesn’t want to require users to install browser extensions. Bob decides to use eip4337 to create accounts for all his players.
The Question:
How should Bob’s web app display a userop to be signed by a user (the sender: Alice) – without using a browser extension or window.ethereum, such that Alice can know Bobs web app isn’t doing a bait and switch?
And to make the convo realistic – let’s assume Alice doesn’t want to give Bobs web app access to the her ecdsa priv key
As an example:
WebAuthN based wallets wanting to get users to sign will send the userop struct as the Challenge in a webauthn.credentials.get() call. When the browser mediated modal pops to sign, it doesn’t show what you are signing – so how does the user trust this?
