Discussion about the safety of NIP-07.
1. If an XSS vulnerability exists, an attacker can take any action that requires a signature via window.nostr.
2. The same applies if there is no XSS vulnerability, but the application developer has malicious intent.
3. Therefore, if the NIP-07 extension is used with "allow all" and "allow forever", the risk is not much different from passing the raw private key to the application.
1-2 is correct, but with NIP-07 the attacker only has access to your account while you're using the XSS-vulnerable application, not after you close the application or vulnerability is fixed. Still, I want to make it easier to use Iris without giving the "allow forever" permission.
3 was incorrect. Thank you for pointing this out. I always use Iris when I use Nostr on PC, so it sounds great that more secure and easier to use!
