Web developer Bob wants to build a web game using web standards, and Bob doesn’t want to require users to install browser extensions. Bob decides to use eip4337 to create accounts for all his players.
How should Bob’s web app display a userop to be signed by a user (the sender: Alice) – without using a browser extension or window.ethereum, such that Alice can know Bobs web app isn’t doing a bait and switch?
And to make the convo realistic – let’s assume Alice doesn’t want to give Bobs web app access to the her ecdsa priv key
As an example:
WebAuthN based wallets wanting to get users to sign will send the userop struct as the Challenge in a webauthn.credentials.get() call. When the browser mediated modal pops to sign, it doesn’t show what you are signing – so how does the user trust this?