Nostr Web Client

Yes. I think most people misunderstand how this works.

A bit of JS code is injected that takes the nostr.* calls communicates with the extension that is in an isolated context (AFAIK with postMessage). The extension then checks permissions or does popups.

:/ please do some research

jb55 1y ago

yeah its slightly more isolated, but its still floating around in the process space and js env. I would just feel more comfortable with runtime.sendNativeMessage to an app with no network access and shared keychain access with Damus

Reply to this note

Please Login to reply.

Discussion

semisol 1y ago

makes sense, but you probably have bigger problems if there’s a safari ACE vulnerability