AEX-4 - æternity wallet deep linking specification

shekhar-shubhendu · April 25, 2019, 3:44am

Hi all, This is the discussion thread for aex-4:

aeternity/AEXs/blob/master/AEXS/aex-4.md

# AEX-4

```
AEX: 4
Title: æternity wallet deep linking specification
Author: Shubhendu Shekhar (@shekhar-shubhendu), Andrea Giacobino (@noandrea)
License: BSD-3-Clause
Discussions-To: https://forum.aeternity.com/t/aex-4-aeternity-wallet-deep-linking-specification/3231
Status: Withdrawn
Type: Standards Track
Created: 2019-04-03
```

## Simple Summary

The document describes and defines the deep linking specification that every æternity supported wallet can implement and follow to redirect users to a specific activity or page inside the application.

## Motivation

URI based deep linking enables websites or applications to interact with native applications registered to listen for aeternity URI scheme and trigger wallet actions like open wallet accounts directly from third-party applications.

This file has been truncated. show original

bruteforce.chain · April 25, 2019, 5:40am

I think it’s reasonable to have this specification. What you are proposing sounds good.

nikitafuchs.chain · April 29, 2019, 5:35pm

I also like the idea. we should just take a cautious look at possible security implications of allowing to pass arbitrary callback URLs. My gut tells me that this could somehow be misused in order to mislead users and/or trick them into performing something they didn’t intend to. Any thoughts?

shekhar-shubhendu · April 30, 2019, 3:04am

Passing arbitrary callback URL has its security implications when you’re passing user sensitive information to it. But here the wallet only has to post the transaction id of the payment done and that is already public.

We’ve documented the base standard(that should be there) and this can be further extended upon by wallets and vendors to enhance the overall security as they seem fit.

dcale · May 7, 2019, 9:56am

I like the proposal, here my feedback:

Is there a specific reason why some arguments are passed as “path” and not as “parameters”?
Callback URL’s can as already mentioned be used for XSS-like attacks.
Keep in mind that aeternity is a smart contract capable blockchain, payments are only one use case, do we want this standard to cover payments only?
Goes in the direction of the previous 2 points. Wouldn’t it make sense to remove callback and add a payload instead? -> Merchant redirects you as soon as payment was received + you can add a payment id to the payload (if as a merchant you don’t use 1address per payment).

noandrea · November 21, 2019, 12:30pm

due to the difficulty to agree on the details of the specification it was decided to withdraw the AEX, we may work to an implementation first if there is a use case and then make an AEX proposal

stoyan.chain · November 22, 2019, 8:06pm

The Base aepp is experimenting with this method of connecting aepps with wallets. We will share our prototype in our next release and can discuss making a standard out of it after we gather everyone’s feedback.