From 98f68adb11139b2a957f92be38cc485c84c29ceb Mon Sep 17 00:00:00 2001 From: clawbot Date: Fri, 27 Feb 2026 11:42:11 -0800 Subject: [PATCH 1/5] fix(L3): isUnlocked() returns false when no accounts exposed _metamask.isUnlocked() now checks provider.selectedAddress instead of always returning true. --- src/content/inpage.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/inpage.js b/src/content/inpage.js index b54c149..14b1fcf 100644 --- a/src/content/inpage.js +++ b/src/content/inpage.js @@ -134,7 +134,7 @@ // Some dApps (wagmi) check this to confirm MetaMask-like behavior _metamask: { isUnlocked() { - return Promise.resolve(true); + return Promise.resolve(provider.selectedAddress !== null); }, }, }; From 04a34d1a5e0ef605491f2407cb012b8d0ff86d37 Mon Sep 17 00:00:00 2001 From: clawbot Date: Fri, 27 Feb 2026 11:42:15 -0800 Subject: [PATCH 2/5] fix(L4): generate EIP-6963 provider UUID at install time UUID is generated once via crypto.randomUUID(), persisted in chrome.storage.local, and sent from the content script to the inpage script via postMessage. --- src/content/index.js | 17 +++++++++++++++++ src/content/inpage.js | 29 ++++++++++++++++++++++------- 2 files changed, 39 insertions(+), 7 deletions(-) diff --git a/src/content/index.js b/src/content/index.js index b66b44c..960a1f6 100644 --- a/src/content/index.js +++ b/src/content/index.js @@ -13,6 +13,23 @@ if (typeof browser !== "undefined") { (document.head || document.documentElement).appendChild(script); } +// Send the persisted EIP-6963 provider UUID to the inpage script. +// Generated once at install time and stored in chrome.storage.local. +(function sendProviderUuid() { + const storage = + typeof browser !== "undefined" + ? browser.storage.local + : chrome.storage.local; + storage.get("eip6963Uuid", (items) => { + let uuid = items?.eip6963Uuid; + if (!uuid) { + uuid = crypto.randomUUID(); + storage.set({ eip6963Uuid: uuid }); + } + window.postMessage({ type: "AUTISTMASK_PROVIDER_UUID", uuid }, "*"); + }); +})(); + // Relay requests from the page to the background script window.addEventListener("message", (event) => { if (event.source !== window) return; diff --git a/src/content/inpage.js b/src/content/inpage.js index 14b1fcf..bb9a88f 100644 --- a/src/content/inpage.js +++ b/src/content/inpage.js @@ -155,21 +155,36 @@ "", ); - const providerInfo = { - uuid: "f3c5b2a1-8d4e-4f6a-9c7b-1e2d3a4b5c6d", - name: "AutistMask", - icon: ICON_SVG, - rdns: "berlin.sneak.autistmask", - }; + let providerUuid = crypto.randomUUID(); // fallback until real UUID arrives + + function buildProviderInfo() { + return { + uuid: providerUuid, + name: "AutistMask", + icon: ICON_SVG, + rdns: "berlin.sneak.autistmask", + }; + } function announceProvider() { window.dispatchEvent( new CustomEvent("eip6963:announceProvider", { - detail: Object.freeze({ info: providerInfo, provider }), + detail: Object.freeze({ + info: buildProviderInfo(), + provider, + }), }), ); } + // Listen for the persisted UUID from the content script + window.addEventListener("message", (event) => { + if (event.source !== window) return; + if (event.data?.type !== "AUTISTMASK_PROVIDER_UUID") return; + providerUuid = event.data.uuid; + announceProvider(); + }); + window.addEventListener("eip6963:requestProvider", announceProvider); announceProvider(); })(); From 909543e94386f8041246e12b1590fde0ead0241a Mon Sep 17 00:00:00 2001 From: clawbot Date: Fri, 27 Feb 2026 11:42:18 -0800 Subject: [PATCH 3/5] fix(L5): truncate token name/symbol from RPC responses Limits token name to 64 chars and symbol to 12 chars to prevent storage of excessively long values from malicious contracts. --- src/shared/balances.js | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/shared/balances.js b/src/shared/balances.js index 24f19a6..732812a 100644 --- a/src/shared/balances.js +++ b/src/shared/balances.js @@ -192,6 +192,10 @@ async function lookupTokenInfo(contractAddress, rpcUrl) { name = symbol; } + // Truncate to prevent storage of excessively long values from RPC + name = String(name).slice(0, 64); + symbol = String(symbol).slice(0, 12); + log.infof("Token resolved:", symbol, "decimals", Number(decimals)); return { name, symbol, decimals: Number(decimals) }; } From 27f16191b4cb90c985bcb1e380bc320950a1238d Mon Sep 17 00:00:00 2001 From: user Date: Fri, 27 Feb 2026 11:58:57 -0800 Subject: [PATCH 4/5] fix(L4): use location.origin for postMessage, one-shot UUID listener - Content script sends UUID via location.origin instead of "*" - Inpage UUID listener removes itself after first message to prevent malicious pages from overriding the persisted UUID --- src/content/index.js | 2 +- src/content/inpage.js | 10 ++++++---- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/src/content/index.js b/src/content/index.js index 960a1f6..cfa16e1 100644 --- a/src/content/index.js +++ b/src/content/index.js @@ -26,7 +26,7 @@ if (typeof browser !== "undefined") { uuid = crypto.randomUUID(); storage.set({ eip6963Uuid: uuid }); } - window.postMessage({ type: "AUTISTMASK_PROVIDER_UUID", uuid }, "*"); + window.postMessage({ type: "AUTISTMASK_PROVIDER_UUID", uuid }, location.origin); }); })(); diff --git a/src/content/inpage.js b/src/content/inpage.js index bb9a88f..9a95012 100644 --- a/src/content/inpage.js +++ b/src/content/inpage.js @@ -9,7 +9,7 @@ const pending = {}; // Listen for responses from the content script - window.addEventListener("message", (event) => { + window.addEventListener("message", function onUuid(event) { if (event.source !== window) return; if (event.data?.type !== "AUTISTMASK_RESPONSE") return; const { id, result, error } = event.data; @@ -24,7 +24,7 @@ }); // Listen for events pushed from the extension - window.addEventListener("message", (event) => { + window.addEventListener("message", function onUuid(event) { if (event.source !== window) return; if (event.data?.type !== "AUTISTMASK_EVENT") return; const { eventName, data } = event.data; @@ -178,12 +178,14 @@ } // Listen for the persisted UUID from the content script - window.addEventListener("message", (event) => { + function onProviderUuid(event) { if (event.source !== window) return; if (event.data?.type !== "AUTISTMASK_PROVIDER_UUID") return; + window.removeEventListener("message", onProviderUuid); providerUuid = event.data.uuid; announceProvider(); - }); + } + window.addEventListener("message", onProviderUuid); window.addEventListener("eip6963:requestProvider", announceProvider); announceProvider(); From 4fdbc5adaeb957f694017694d04753e620b09037 Mon Sep 17 00:00:00 2001 From: clawbot Date: Fri, 27 Feb 2026 14:10:37 -0800 Subject: [PATCH 5/5] fmt: prettier format content/index.js --- src/content/index.js | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/content/index.js b/src/content/index.js index cfa16e1..a31aed7 100644 --- a/src/content/index.js +++ b/src/content/index.js @@ -26,7 +26,10 @@ if (typeof browser !== "undefined") { uuid = crypto.randomUUID(); storage.set({ eip6963Uuid: uuid }); } - window.postMessage({ type: "AUTISTMASK_PROVIDER_UUID", uuid }, location.origin); + window.postMessage( + { type: "AUTISTMASK_PROVIDER_UUID", uuid }, + location.origin, + ); }); })();