Replying to Avatar ぽーまん🐧

Discussion about the safety of NIP-07.

1. If an XSS vulnerability exists, an attacker can take any action that requires a signature via window.nostr.

2. The same applies if there is no XSS vulnerability, but the application developer has malicious intent.

3. Therefore, if the NIP-07 extension is used with "allow all" and "allow forever", the risk is not much different from passing the raw private key to the application.
Avatar
Sirius 2y ago

1-2 is correct, but with NIP-07 the attacker only has access to your account while you're using the XSS-vulnerable application, not after you close the application or vulnerability is fixed. Still, I want to make it easier to use Iris without giving the "allow forever" permission.

Reply to this note

Please Login to reply.

Discussion

Avatar
Nighthaven 2y ago

この人がマルマル・モリモリです

#[0]

Avatar
ぽーまん🐧 2y ago

3 was incorrect. Thank you for pointing this out. I always use Iris when I use Nostr on PC, so it sounds great that more secure and easier to use!