EIPs icon indicating copy to clipboard operation
EIPs copied to clipboard

Published 20 hours ago verified publisher icon ethereum

Add EIP: dApp Security Policy Standard

Open bernard-wagner opened this issue 1 year ago • 3 comments
trafficstars

Very early draft for the related ENSIP:

ENSIP-XX: Security Policy Records

Author Bernard Wagner(@bernard-wagner)
Status Draft
Submitted TBC

Abstract

This ENSIP extends ENSIP-5: Text Records and defines a record, dappsec, that specifies the location of a security policy as described in EIP-TBC. The text record is intended to be queried by wallets for domains imported using ENSIP-6: DNS-in-ENS, thereby notarising the security policy for a particular domain or subdomain. Wallets can then use the security policy to validate the properties of transaction signing requests based on their HTTP origin. The objective is to mitigate the impact of front-end hacks, such as DNS takeovers or supply-chain compromises of front-end components.

Motivation

Hackers often target dApp front-ends to coerce users into signing transactions that allow the hacker to transfer victims' funds. By introducing a security policy standard, wallet providers can implement safeguards as described in EIP-XXX to protect users against such attacks.

Specification

Introduce a well-known global text record that allows wallet providers to discover the security policy for a hosted dApp using on-chain data.

Example Text Record:

dappsec: uri=https://mywebapp.xyz/.well-known/ensip-xx.json hash=0x-hex-string
  • URI: MUST specify the https or ipfs schemas.
  • Hash: When the location is specified using the https schema, it MUST contain the policy document's keccak256 hash as a 0x-prefixed lowercase hex string. The hash property is OPTIONAL for the ipfs schema, as the policy's integrity is implicit.

bernard-wagner avatar Oct 22 '24 07:10 bernard-wagner

File EIPS/eip-dapp-security.md

Requires 1 more reviewers from @axic, @g11tech, @gcolvin, @lightclient, @samwilsn, @xinbenlv

eth-bot avatar Oct 22 '24 07:10 eth-bot

The commit b933997b4847fbd6a73d7293154edc0162403815 (as a parent of 7dcd3503c84b6a87db06bd55e7d6a3c10fb5f629) contains errors. Please inspect the Run Summary for details.

github-actions[bot] avatar Oct 22 '24 08:10 github-actions[bot]

@bernard-wagner this looks like it should be an ERC. Suggest creating the PR in the ERCs repo. https://github.com/ethereum/ERCs

abcoathup avatar Oct 22 '24 22:10 abcoathup