Obscuring Presence of Browser Plugins with window.postMessage
By Adrian Sutton
There are a number of browser plugins which inject additional JavaScript APIs into the DOM so websites can take advantage of the plugin functionality. One example of that is MetaMask which “brings Ethereum to your browser”. This allows any website the user visits to detect that the plugin is installed by checking for the presence of those APIs which may aid them in targeting attacks such as the recent spate of phishing attacks against MetaMask users. So there’s a proposal in place to require websites to get specific authorisation from the user before the APIs will be injected. And since injecting an API to allow the website to request access would defeat the point, it uses window.postMessage:
Dapps MUST request the web3 API by sending a message using window.postMessage API. This message MUST be sent with a payload object containing a type property with a value of “WEB3_API_REQUEST” and an optional id property corresponding to an identifier of a specific wallet provider, such as “METAMASK”. If the plugin is installed it will prompt the user for access and if granted inject the APIs into the DOM. If the plugin isn’t installed or if the user refuses access, the website simply receives no response. Clever.