Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add how-to on restricting rpc apis by URL #1223

Merged
merged 5 commits into from
Mar 21, 2024
Merged

Add how-to on restricting rpc apis by URL #1223

merged 5 commits into from
Mar 21, 2024

Conversation

ziad-saab
Copy link
Contributor

closes MetaMask/MetaMask-planning#1285.

@ziad-saab ziad-saab requested review from a team as code owners March 18, 2024 23:02
@github-actions GitHub Actions
Copy link

Preview published: zs/restrict-rpc

@alexandratran alexandratran self-assigned this Mar 18, 2024
@Montoya
Copy link
Collaborator

Montoya commented Mar 19, 2024
edited
Loading

I think the tutorial should use the URL library like so: https://codepen.io/m0nt0y4/pen/WNLxYGw

Relying on Array.prototype.includes() will miss if the origin is "https://metamask.io" and the array contains "https://metamask.io/" or if the origin is "https://metamask.io/dapp/" and the array contains "https://metamask.io". The point of using the URL library is to extract the most important parts of the origin (protocol + host) and key based on that. Then you can just store the host in the array and compare against that, and require the request to always come from https. Or store both protocol + host in the array and compare against both.

I admit this can cause issues if the request is coming from a host like vercel. The truth is there's no easy way to key based on a URL, it depends on what the developer wants to use.

Montoya
Montoya requested changes Mar 19, 2024
View reviewed changes
Copy link
Collaborator

@Montoya Montoya left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See above

Montoya
Montoya requested changes Mar 19, 2024
View reviewed changes
@ziad-saab
Copy link
Contributor Author

Relying on Array.prototype.includes() will miss if the origin is "https://metamask.io" and the array contains "https://metamask.io/" or if the origin is "https://metamask.io/dapp/" and the array contains "https://metamask.io".

@Montoya it's my understanding and experience that the origin parameter is already just protocol + domain. it doesn't contain any path information. Do we still think it's necessary to include the URL manipulation in this case?

@github-actions GitHub Actions
Copy link

Preview published: zs/restrict-rpc

@ziad-saab ziad-saab requested a review from Montoya March 19, 2024 20:52
@Montoya
Copy link
Collaborator

Montoya commented Mar 20, 2024

@ziad-saab Oh, maybe my understanding is wrong. If that is true then this approach should work fine.

alexandratran
alexandratran approved these changes Mar 21, 2024
View reviewed changes
Copy link
Contributor

@alexandratran alexandratran left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor edits to content. LGTM.

@github-actions GitHub Actions
Copy link

Preview published: zs/restrict-rpc

@Montoya Montoya merged commit 8dcfb8d into main Mar 21, 2024
8 checks passed
@Montoya Montoya deleted the zs/restrict-rpc branch March 21, 2024 04:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Montoya Montoya Montoya approved these changes

@alexandratran alexandratran alexandratran approved these changes

Assignees

@alexandratran alexandratran

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ziad-saab @Montoya @alexandratran