Research if we're able to detect legacy dapps

[bdresser]

Can we know if a site hasn't updated to support 1102? This will inform #6352

[whymarrh]

Can we know if a site hasn't updated to support 1102?

Yes, I believe that we can detect if a dapp is using the old initialization process. 1102 outlined a dapp initialization process that supersedes the "legacy dapp initialization" that used a global web3 object.^[1] After looking at a small sample of "legacy" dapps and how they use web3, I believe that we detect property access and use that to display custom messaging about 1102 and the larger privacy mode option.

danfinlay/js-eth-personal-sign-examples [2]

Here a dapp is using an address from web3.eth.accounts[0] over "connect":

var from = web3.eth.accounts[0]
if (!from) return connect()

idleKings/Turtle [3]

Here a dapp is using web3.currentProvider:

var web3;
if (typeof window.web3 !== "undefined" && typeof window.web3.currentProvider !== "undefined") {
    web3 = new Web3(window.web3.currentProvider);
} else {
    web3 = new Web3();		
    web3.setProvider(new web3.providers.HttpProvider('https://mainnet.infura.io/uwEccFsRIgwJGznPQLDN'));		
}

We should be able to wrap our injected web3 instance with a Proxy that detect property access and checks whether or not the dapp has already called request provider access. If the dapp has not yet requested provider access, we can display messaging about privacy mode and its implications.

global.web3 = new Proxy(web3, {
  get (_web3, key) {
    switch (key) {
      case 'eth':
        return new Proxy(_web3[key], {
          get (_eth, key) {
            switch (key) {
              case 'accounts':
                console.log('web3.eth.accounts property access')
              default:
                return _eth[key]
            }
          },
          set (_eth, key, value) {
            _eth[key] = value
          },
        })
      case 'currentProvider':
        console.log('web3.currentProvider property access')
      default:
        return _web3[key]
    }
  },
  set (_web3, key, value) {
    _web3[key] = value
  },
})

[danfinlay]

We should be able to wrap our injected web3 instance with a Proxy that detect property access and checks whether or not the dapp has already called request provider access. If the dapp has not yet requested provider access, we can display messaging about privacy mode and its implications.

For this to be a valid solution, it would have to differentiate these legacy dapps from current dapp patterns.

This solution assumes that modern dapps never attempt to access web3 before calling enable(), but I'm not sure that's the case. I think it's actually very common to check web3.eth.accounts to see if a user is logged in, which would trigger legacy dapp detection in this case.

[whymarrh]

Yup, my comment here about us being able to detect property access on web3 was more that it's possible, less that it's a full solution. We can coordinate with the background script to determine whether or not the site is already approved/connected and/or whether or not the user has privacy mode enabled. Some combination of those checks can be run when a dapp accesses properties off web3 to determine whether or not we show messaging around privacy mode.