Lace Permissions: "it can read and change all your data on all websites."
This is completely normal for wallets installed as extensions.
Extensions that need to interact with web pages will almost always require the "Read and change all your data on the websites you visit" permission. Most browser extensions offer features that interact with the current web page, from password managers that need to fill passwords to dictionary extensions that need to define words. That's why this permission is so common.
But why does Lace need these permissions?
These permissions are about Web browsers and what Lace needs to work with them.
Lace is a wallet interface 'tool' that allows you to interact with the Cardano blockchain Network. Those interactions consist on a basic level of sending information to the Cardano Network, and getting responses back.
Cardano is a decentralized network of computers that syncs information and keeps track of assets, and isn't really part of the traditional internet. It doesn't receive requests and send information the same way a server does that's hosting a website: and Lace needs your permission to get that information, because in web3, you are the one in control.
How it works:
Let's say you're on a page that will allow you to mint an NFT. This is what happens, step by step:
- You connect Lace to the DApp.
This lets the DApp know what your public address is, for example.
- You enter in important or relevant information--for example, how many of the NFTs you want to mint.
- The DApp itself takes the information you put in, bundles it into a proposed transaction or signature request, and passes it off to Lace.
- You execute that request in Lace, and Lace submits it to the network.
This requires at least one, and sometimes several signatures--for example, authorizing the DApp to request that your tokens be spent, and then actually authorizing the mint.
- The network receives your request, and executes the mint.
- The DApp is able to detect that transaction through its own connection to the Cardano network, and displays to you the NFT that you've minted.
The bottom line:
At no point is Lace itself reading or changing the information on the webpage. The DApp does all the work of updating information from the blockchain.
The reason Lace needs these permissions is because browsers don't offer any other way to open up a channel of communication between Lace and the webpage.
Traditional Web browsers weren't made for blockchain data, and Daedalus is a full-node Desktop Wallet--that's why Lace was created, to build that functionality into your browser and to allow users to interact with the Cardano Network easily.
How does this work on a technical level?
In order to enable DApps to access the Cardano network, Lace needs to inject a connection interface into the page. This allows the DApp to access the blockchain, and fetch publicly-available information specific to your wallet, such as the NFTs you hold, or your transaction history, or your token balances.
Best practices when using Lace with DApps:
We recommend that you follow best security practices and limit the extension only to DApps that you wish to use. You can also manage which DApps you have authorized within Lace by going to Settings < Authorized DApps.
We understand that Web3 is all about being able to personally verify what others are telling you.
So, if you are still not convinced, a good way to experiment and manage your browser is to sandbox your Lace: create a separate browser profile so that Lace is only installed there. This will let you get used to Lace and Web3 in an environment that's separate from your existing web identity—and gives you greater peace of mind about what Lace has access to.
With that being said, we can confirm Lace is safe for browsing; IOG and its partners are industry leaders in security and open-source development and Lace is now fully open source: https://github.com/input-output-hk/lace.
Also make sure to also read the audit report from FYEO referenced in the repo: https://lace.io/lace-audit-report
For more information and FAQ, please see: https://www.lace.io/faq
For our Privacy Policy, please see: https://lace.io/iog-privacy-policy.pdf