Not sure if this is the right place to put this discussion (Couldn't post this in /r/ethereum) so here we go:
So i'm a strong believer that in order to create a better adoption for Dapps we have to create an easier way to sign transactions. The current way of using MetaMask, hardware wallets, desktop app browsers isn't all that easy for the regular user. So i believe we have to create an SDK that is secure to use and doesn't require users to install anything or trust a website to handle their private key. I know that MEW does not store their keys on their servers but it still requires a domain to be active and that doesn't feel quite in the spirit of decentralised to me.
I do realise that this idea has flaws, but maybe some people can take a look at it and find better solutions to some problems.
So what i currently came up with (no code execution done yet):
- Have a Dapp website include this wallet.js file.
- The wallet.js file will create a base64 html string that includes code to spawns a web worker (from a Blob URL)
- The base64 html is inserted in a iframe so it is not available from the top level domain.
- The base64 html file asks the user to either create a new wallet or insert their existing mnemonic.
- Store the private key using one of the available persistent storage Api's (Localstorage, IndexDB, etc)
- The top level frame can `postMessage()` the iframe to ask to sign the transaction.
- The worker then sign the transaction and gives the signed transaction back to the top level domain.
- Since the base64 html is the same on each domain the private key will persist and can be used by each domain.
Sound good in theory but there is currently one issue i can't seem to get around to:
Browsers block access to localStorage inside of a base64 html. I've currently tried to do blob URL's but these are bound to a domain. So this wouldn't work either.
Please feel free to shoot on the idea and maybe have better solutions to get currently around my problem..