Imagine you are visiting a phishing site. You are going to post a photo of your meal, but the app is asking a signer to sign for something new to identity usecase and something new to Bitcoin API.
Discussion
this is covered by a) permissions, in your scenario the extension would delay the second request until the user responds to the first request
All right.
Apart from checking the legitimacy of the URL, I don't also know of any other security defense other than a visual check by the user.
I know there are some that go a step further and validate and alert the sign message in Web3, but to do this, the attack case needs to be templated/specified.
The signPsbt prompt window is going to be very different from the signEvent window. Everything to know about each input and output will be displayed to the user, including the script.
The wallet (soon tm) will also have a `window.bitcoin.register_xpub` method for registering signed xpubs into an address book, which the signPsbt prompt will use to highlight addresses for simple verification.