Allow chrome extension to see the window.ethereum attribute

[John Dickerson]

The chrome extension security model hides any attributes added to the window browser property.

Browser Crypto Wallets like MetaMask inject themselves into window.ethereum so that web sites can connect to them.

However Chrome Extension developers cannot connect to web browser wallets because window.ethereum is used by libraries like Wallet Connect for them to connect to browser wallets and the ethereum attribute is REMOVED from the window object exposed to developers.

This is a MASSIVE short coming of the Chrome Extension security model.

Surely Chrome can ALLOW at least the window.ethereum property to be visible?

PLEASE ADVISE why chrome extension architecture REFUSES to accomodate Crypto usage?   Certain countries around the world DEPEND on crypto - especially countries with high inflation where HALF the population over 18 use crypto.  Why cannot Chrome Extension accomodate crypto and allow window.ethereum to be visible inside the extension context?

I feel the Chrome Extension Architects are basically telling the crypto community to get stuffed.  This is super sad and not helpful.

[Oliver Dunk]

Hi John,

The isolation by default of content scripts and JS added by the page is an important security boundary - while there are cases like this where mixing the two makes a lot of sense, it would also be dangerous if, for example, the page could overwrite something like `window.alert` to run malicious code that the extension doesn't expect when the extension calls it.

For this reason, you have to explicitly ask to run code in the main world - which you can absolutely do! For example, using the chrome.scripting API in MV3:

chrome.scripting.executeScript({
  target: { tabId: sender.tab.id },
  world: 'MAIN',
  files: ['example.js'],
});

This will run example.js in the "main world" where it will have access to `window.ethereum` and anything else defined by the page. Just be careful with this, as it means any data exposed to that script is also exposed to the page.

Hope that helps - let me know if you have any other questions.

Oliver Dunk | DevRel, Chrome Extensions | https://developer.chrome.com/ | London, GB

--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/e6c0f67f-655f-46dc-b21d-6f25e20fbf9bn%40chromium.org.

[John Dickerson]

Thanks Oliver, I now see the light at the end of the tunnel thanks to your very helpful reply.

Thanks again - I owe you a case of beers 

[Oliver Dunk]

No problem!

I'm really glad that was helpful :)

Oliver Dunk | DevRel, Chrome Extensions | https://developer.chrome.com/ | London, GB

[John Dickerson]

I now need to suss out how executing a javascript file using:

  target: { tabId: sender.tab.id },
  world: 'MAIN',
  files: ['example.js'],
});

can update the window.ethereum object  so that Wallet Connect can connect to a browser wallet in an extension app opened in a tab. 

 If anyone thinks this impossible speak up.

Thanks

On Monday, 4 September 2023 at 14:49:14 UTC+3 Oliver Dunk wrote: