Pages:
Author

Topic: Machine-detectable way to give a bitcoin address in an HTML page (Read 2378 times)

sr. member
Activity: 288
Merit: 263
Firstbits.com/1davux
Sounds great, indeed!
newbie
Activity: 40
Merit: 0
Just a follow-up for anyone developing this further. What do you think about using an existing link relation type for bitcoin? "payment" seems to be about right...

So a link might look like:

bitcoin:1NS17iag9jJgTHD1VXjvLCEnZuQ3rJED9L" />

See: https://tools.ietf.org/html/draft-nottingham-http-link-header-10

Relation Name: payment
   o  Description: indicates a resource where payment is accepted.
   o  Reference: [this document]
   o  Notes: this relation type registration did not indicate a
      reference.  Requested by Joshua Kinberg and Robert Sayre.  It is
      meant as a general way to facilitate acts of payment, and thus
      this specification makes no assumptions on the type of payment or
      transaction protocol.  Examples may include a web page where
      donations are accepted or where goods and services are available
      for purchase. rel="payment" is not intended to initiate an
      automated transaction.  In Atom documents, a link element with a
      rel="payment" attribute may exist at the feed/channel level and/or
      the entry/item level.  For example, a rel="payment" link at the
      feed/channel level may point to a "tip jar" URI, whereas an entry/
      item containing a book review may include a rel="payment" link
      that points to the location where the book may be purchased
      through an online retailer.

newbie
Activity: 40
Merit: 0
Why not use the hCard microformat in the HTML to publish receiving addresses?

http://microformats.org/wiki/hcard

Or RDFa?

http://en.wikipedia.org/wiki/RDFa

How about in addition to URLs, we use email addresses to lookup Bitcoin addresses stored in XRD documents via WebFinger?

http://webfinger.org/
http://code.google.com/p/webfinger/wiki/WebFingerProtocol

Seems like this wheel has already been invented.
sr. member
Activity: 288
Merit: 263
Firstbits.com/1davux
No browser involved. You don't need a browser to do an HTTP request and parse the response.

In order to avoid confusion on my proposal, here's a step-by-step example:
  • I'm prompted for a bitcoin address (for example by my desktop bitcoin client, or by mtgox for a withdrawal, etc.)
  • Where the address is expected, I enter http://payb.tc/foo
  • The client (or MtGox, etc.) fetches the URL. If the Content-Type is text/html, it reads the element(s) that's contained in the header, prompting me to choose if there are several ones, or selecting the first one if we're in a non-interactive context. One improvement can be, if the Content-Type is text/plain instead, to assume the response contains the address as is. This would allow me to give, in payb.tc's case, http://payb.tc/foo/text and make the parsing job easier. People would surely appreciate to be able to give their own homepage URL though (like OpenID), hence the idea.
  • It sends the payment to address xxxxxxxxxx.

I do agree that there's a security risk if the HTTP communication is not trusted (no SSL, or SSL with invalid/untrusted certificate), but only in that case.
newbie
Activity: 42
Merit: 0
I think that it's almost a given that any client accepting external automated inputs should require a manual confirmation while providing full details available. e.g. "Received request from site http://blahblahblah.com/somepage to send X bitcoins to
" just to avoid the link saying one thing but sending another to the client.

It's better than that - unless the devs completely fuck up the wallet encryption implementation, you're going to have to enter your wallet password each time you want to send money if you have wallet encryption enabled.

If you enable the URL handler, and you don't have an encrypted wallet, you kind of deserve everything you get.

You need both kind of confirmation. The first is to prevent phishing and fraud, the second to ensure a rogue/buggy client cannot simply access your wallet after bypassing the confirmation prompt.

Definitely somebody who enables external access and doesn't encrypt the wallet deserves getting it stolen Cheesy
sr. member
Activity: 308
Merit: 250
I think that it's almost a given that any client accepting external automated inputs should require a manual confirmation while providing full details available. e.g. "Received request from site http://blahblahblah.com/somepage to send X bitcoins to
" just to avoid the link saying one thing but sending another to the client.

It's better than that - unless the devs completely fuck up the wallet encryption implementation, you're going to have to enter your wallet password each time you want to send money if you have wallet encryption enabled.

If you enable the URL handler, and you don't have an encrypted wallet, you kind of deserve everything you get.
newbie
Activity: 18
Merit: 0
The goal is to give an URL when/where a bitcoin address is needed, because URLs are generally shorter and easier to memorize than bitcoin addresses.

It's also ridiculous insecure as long as the resolving response is not cryptographically signed. Valid certificate/key management on the other hand is hard to do right and average joe fails at this on a daily basis. (just look at browsers for proof)
newbie
Activity: 42
Merit: 0
Yes, but what if someone hacks the browser and sends a send to order to the client? Browsers are very hackable, they are very expose and do a lot of stuff.

A solution might be to have a mode in the client where all the RPC transactions have to be confirmed manually. Im still fearful of connecting the client to the browser but that might work.

I think that it's almost a given that any client accepting external automated inputs should require a manual confirmation while providing full details available. e.g. "Received request from site http://blahblahblah.com/somepage to send X bitcoins to
" just to avoid the link saying one thing but sending another to the client.
legendary
Activity: 1148
Merit: 1001
Radix-The Decentralized Finance Protocol
Are you guys sure you want to connect your browser to the bitcoin client and allow it to send it orders? That would be a hackers paradise.

I don't think anyone's suggesting auto-send are they? I think the browser would just open up the client but have the user click SEND to actually confirm it.

There's already a URI scheme.

Yes, but what if someone hacks the browser and sends a send to order to the client? Browsers are very hackable, they are very expose and do a lot of stuff.

A solution might be to have a mode in the client where all the RPC transactions have to be confirmed manually. Im still fearful of connecting the client to the browser but that might work.
full member
Activity: 154
Merit: 100
Are you guys sure you want to connect your browser to the bitcoin client and allow it to send it orders? That would be a hackers paradise.

I don't think anyone's suggesting auto-send are they? I think the browser would just open up the client but have the user click SEND to actually confirm it.

There's already a URI scheme.
hero member
Activity: 588
Merit: 500
legendary
Activity: 1148
Merit: 1001
Radix-The Decentralized Finance Protocol
Are you guys sure you want to connect your browser to the bitcoin client and allow it to send it orders? That would be a hackers paradise.
full member
Activity: 154
Merit: 100
The interface would go, e.g.: "Pay to: payb.tc/da".

Obviously, it wouldn't be safe to be hard-bound to one specific shortening service, so we need to be able to parse any random HTML page and extract the bitcoin address it contains.

Any shortening service worth it's salt would also output plain text and other useful formats anyway... payb.tc does if you do http://payb.tc/da/text

But I agree it would be great if the various 'withdrawal' and other bitcoin forms around the web would accept a short link, in addition to accepting an address directly.
newbie
Activity: 42
Merit: 0
it would be better and easier to do this instead

bitcoin://public key
bitcoin://send/amount/public key
bitcoin://about

then the browser would pass that off to the default program. then you only need to mess with bitcoin instead of html.

The URI should follow a standard addressing pattern to avoid issues parsing it. I'd suggest something like
bitcoin://[amount]@address/[command][?parameters]

so those become
bitcoin://1.75@address/send
bitcoin://address/about?details=This is my bitcoin address


full member
Activity: 140
Merit: 100
Yes Wink

bitcoin://3.55@address

would be a nice way to handle this.
legendary
Activity: 1008
Merit: 1001
Let the chips fall where they may.
Both links and achors are described in Section 12 of the HTML 4.01 specification. Essentially, instead of using an 'HTTP' url, you use a 'bitcoin' url. Some browsers/Forum software get confused when you present it with a url type is does not recognize. For example: Floodgap Systems' official gopher server.
edit:
Code:
Forum software assumed I forgot to include "HTTP". The Http gateway is here.
sr. member
Activity: 288
Merit: 263
Firstbits.com/1davux
What does putting it in a element do that putting it in an anchor won't?

The goal is to give an URL when/where a bitcoin address is needed, because URLs are generally shorter and easier to memorize than bitcoin addresses. I don't have any particular preference for elements over anchors (... elements) – do you have an example of how to transform an URL into a bitcoin address using anchors? Maybe the vCard format could be extended to announce someone's bitcoin address.

I would also like to clarify that although I'm using bitcoin:xxx URI format in my example, this isn't the point. Use bitcoin://xxx?label=foo if you prefer, or whatever, it doesn't matter here. The choice of a particular URI format is off-topic here – this question is debated in length in other threads.

A similar goal would be to discover bitcoin addresses from a JID (XMPP identifier). I've started to work on something to address that.
sr. member
Activity: 308
Merit: 250
mine or his?

I don't know who is right and who is wrong - Everyone who's implementing a URL handler needs to use the format that's on the Wiki, so there's no confusion. Wink
sr. member
Activity: 350
Merit: 251
Don't fuck with the URL format - there's one already established, it should be used (but moreso, it should be damn-well implemented in the client so people stop getting the idea to fuck with it).

What does putting it in a element do that putting it in an anchor won't? Is it for a browser plugin's benefit or what?

mine or his?

steam does what i said, thats were i got the idea from, also magnet links work the same way.
sr. member
Activity: 308
Merit: 250
Don't fuck with the URL format - there's one already established, it should be used (but moreso, it should be damn-well implemented in the client so people stop getting the idea to fuck with it).

What does putting it in a element do that putting it in an anchor won't? Is it for a browser plugin's benefit or what?
Pages:
Jump to: