fix: wait for ledger offscreen iframe load

[mikesposito]

Description

In order to instantiate a functioning communication between the offscreen iframe for Ledger and the LedgerKeyring (through LedgerOffscreenBridge), we need to make sure that the iframe is loaded before sending any message to it.

We currently wait for the offscreen page to load, but the iframe load is completely async and it will most likely be ready after the rest of the offscreen page, leaving messages proxied to the iframe hanging forever.

On a higher level, this is dangerous because everytime we try to send a message to the Ledger iframe the KeyringController controller-level mutex is locked, and any other operation will wait for its release to proceed - this creates a deadlock situation in the case the iframe does not respond to a message.

This PR makes Ledger iframe initialization into a Promise, and the offscreen page will wait for it to be resolved before sending the "ready" signal back to the extension. To avoid waiting forever, the Ledger initialisation promise races with a 5s timeout: in case of timeout, interactions with Ledger accounts will not work during the entire session (until the offscreen page is re-initialised, and another attempt is made to init Ledger).

Note that the UI setup is not affected by this change, since the Offscreen initialisation is awaited only when unlocking the wallet.

Related issues

Progresses: #26840

Manual testing steps

N/A

Screenshots/Recordings

N/A

Pre-merge author checklist

• I've followed MetaMask Contributor Docs and MetaMask Extension Coding Standards.
• I've completed the PR template to the best of my ability
• I’ve included tests if applicable
• I’ve documented my code using JSDoc format if applicable
• I’ve applied the right labels on the PR (see labeling guidelines). Not required for external contributors.

Pre-merge reviewer checklist

• I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
• I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

[codecov]

Codecov Report

Attention: Patch coverage is 66.66667% with 1 line in your changes missing coverage. Please review.

Project coverage is 70.13%. Comparing base (0d971b9) to head (cee0470).
Report is 2 commits behind head on develop.

Files with missing lines	Patch %	Lines
app/scripts/offscreen.js	0.00%	1 Missing ⚠️

Additional details and impacted files

@@           Coverage Diff            @@
##           develop   #26225   +/-   ##
========================================
  Coverage    70.13%   70.13%           
========================================
  Files         1417     1418    +1     
  Lines        49444    49446    +2     
  Branches     13835    13835           
========================================
+ Hits         34676    34678    +2     
  Misses       14768    14768           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[metamaskbot]

Builds ready [9387929]

• builds: chrome, firefox
• builds (beta): chrome
• builds (flask): chrome, firefox
• builds (MMI): chrome, firefox
• builds (test): chrome, firefox
• builds (test-flask): chrome, firefox
• build viz: Build System
• mv3: Background Module Init Stats
• mv3: UI Init Stats
• mv3: Module Load Stats
• mv3: Bundle Size Stats
• mv2: E2e Actions Stats
• code coverage: Report
• storybook: Storybook
• typescript migration: Dashboard
• all artifacts
• bundle viz:

  • background: 0, 1, 2, 3, 4, 5
  • common: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9
  • content-script: 0
  • offscreen: 0
  • ui: 0, 1, 10, 11, 2, 3, 4, 5, 6, 7, 8, 9

Page Load Metrics (177 ± 213 ms)

Platform	Page	Metric	Min (ms)	Max (ms)	Average (ms)	StandardDeviation (ms)	MarginOfError (ms)
Chrome	Home	firstPaint	73	397	123	68	33
		domContentLoaded	10	41	23	10	5
		load	43	2106	177	443	213
		domInteractive	10	41	23	10	5

Bundle size diffs

• background: 0 Bytes (0.00%)
• ui: 0 Bytes (0.00%)
• common: 0 Bytes (0.00%)

[metamaskbot]

Builds ready [668640b]

• builds: chrome, firefox
• builds (beta): chrome
• builds (flask): chrome, firefox
• builds (MMI): chrome, firefox
• builds (test): chrome, firefox
• builds (test-flask): chrome, firefox
• build viz: Build System
• mv3: Background Module Init Stats
• mv3: UI Init Stats
• mv3: Module Load Stats
• mv3: Bundle Size Stats
• mv2: E2e Actions Stats
• code coverage: Report
• storybook: Storybook
• typescript migration: Dashboard
• all artifacts
• bundle viz:

  • background: 0, 1, 2, 3, 4, 5
  • common: 0, 1, 10, 11, 2, 3, 4, 5, 6, 7, 8, 9
  • content-script: 0
  • offscreen: 0
  • ui: 0, 1, 10, 11, 2, 3, 4, 5, 6, 7, 8, 9

Page Load Metrics (79 ± 7 ms)

Platform	Page	Metric	Min (ms)	Max (ms)	Average (ms)	StandardDeviation (ms)	MarginOfError (ms)
Chrome	Home	firstPaint	71	166	106	21	10
		domContentLoaded	54	116	74	16	8
		load	57	116	79	15	7
		domInteractive	15	53	28	10	5

Bundle size diffs

• background: 0 Bytes (0.00%)
• ui: 0 Bytes (0.00%)
• common: 0 Bytes (0.00%)

[Gudahtt]

Mostly looks good, but I noticed the behavior does not seem ideal in the case of a timeout. Adjusting the timeout duration should make things better in that case I think.

[Gudahtt]

LGTM!

[metamaskbot]

Builds ready [a30faa1]

• builds: chrome, firefox
• builds (beta): chrome
• builds (flask): chrome, firefox
• builds (MMI): chrome, firefox
• builds (test): chrome, firefox
• builds (test-flask): chrome, firefox
• build viz: Build System
• mv3: Background Module Init Stats
• mv3: UI Init Stats
• mv3: Module Load Stats
• mv3: Bundle Size Stats
• mv2: E2e Actions Stats
• code coverage: Report
• storybook: Storybook
• typescript migration: Dashboard
• all artifacts
• bundle viz:

  • background: 0, 1, 2, 3, 4, 5
  • common: 0, 1, 10, 11, 2, 3, 4, 5, 6, 7, 8, 9
  • content-script: 0
  • offscreen: 0
  • ui: 0, 1, 10, 11, 2, 3, 4, 5, 6, 7, 8, 9

Page Load Metrics (78 ± 8 ms)

Platform	Page	Metric	Min (ms)	Max (ms)	Average (ms)	StandardDeviation (ms)	MarginOfError (ms)
Chrome	Home	firstPaint	70	154	102	20	10
		domContentLoaded	42	110	73	17	8
		load	49	114	78	17	8
		domInteractive	10	42	25	9	4

Bundle size diffs [🚨 Warning! Bundle size has increased!]

• background: 21 Bytes (0.00%)
• ui: 0 Bytes (0.00%)
• common: 132 Bytes (0.00%)

[MajorLift]

Elegant, succinct, nice :)

[MajorLift]

Just out of curiosity, would my understanding be correct that the post message stream needs to be synchronously the first task to complete, and then the order doesn't matter between trezor, lattice, and ledger?

Would there be any potential performance, feature, or security gain from initializing the hardware wallets concurrently? Feel free to disregard if this doesn't make any sense, since I don't have much of an understanding of this domain.

[Gudahtt]

They are effectively executed concurrently in this case, because we're not await-ing anything here. Good question though, in case we did want to await these other steps as well for similar reasons as for Ledger. I think we do want them initializing concurrently to speed up the process.

[MajorLift]

Oh that's super cool.😎 I believe these 3 lines would be processed by the call stack instead of the task queue so they would at least always be executed sequentially and in order. I wonder if we could get true parallelism with web workers for this or other similar collections of tasks where speed gains matter. Interesting food for thought!

[mikesposito]

I believe they all either spawn an iframe in the offscreen page (i.e. Snaps, Ledger) or setup page event listeners (i.e. Trezor, Lattice): they are all executed sequentially, though we don't wait for the Snap iframe to be fully loaded to move on and init the rest.

The order is not strict, but I thought it made sense to load Ledger as last since it is the only one we explicitly wait for, and this gives a chance to the Snaps iframe to load in the meantime - while if we, for example, were to load Ledger as first, the rest would have to wait for it to either resolve or timeout.

[mikesposito]

Good question though, in case we did want to await these other steps as well for similar reasons as for Ledger

Since Trezor and Lattice only require an event listener to be set on chrome.runtime, they are effectively already sync steps that we can't really parallelize (and they should be already fast).

The only component we are initializing out of band is ProxySnapExecutor

[mikesposito]

It would be nice to explore the possibility of only setting an event listener for Ledger as well, and spawning the iframe later in time only in case a Ledger Keyring is added to the wallet, and so when the iframe is really needed - because we currently add a Ledger iframe and a LedgerKeyring to the wallet even if the user never interacted with a ledger device for no clear reason

[metamaskbot]

Builds ready [e764bdf]

• builds: chrome, firefox
• builds (beta): chrome
• builds (flask): chrome, firefox
• builds (MMI): chrome, firefox
• builds (test): chrome, firefox
• builds (test-flask): chrome, firefox
• build viz: Build System
• mv3: Background Module Init Stats
• mv3: UI Init Stats
• mv3: Module Load Stats
• mv3: Bundle Size Stats
• mv2: E2e Actions Stats
• code coverage: Report
• storybook: Storybook
• typescript migration: Dashboard
• all artifacts
• bundle viz:

  • background: 0, 1, 2, 3, 4, 5
  • common: 0, 1, 10, 11, 2, 3, 4, 5, 6, 7, 8, 9
  • content-script: 0
  • offscreen: 0
  • ui: 0, 1, 10, 11, 2, 3, 4, 5, 6, 7, 8, 9

Page Load Metrics (2224 ± 232 ms)

Platform	Page	Metric	Min (ms)	Max (ms)	Average (ms)	StandardDeviation (ms)	MarginOfError (ms)
Chrome	Home	firstPaint	354	3119	1896	715	343
		domContentLoaded	1566	3082	2198	489	235
		load	1575	3111	2224	483	232
		domInteractive	15	200	56	42	20

Bundle size diffs [🚨 Warning! Bundle size has increased!]

• background: 21 Bytes (0.00%)
• ui: 0 Bytes (0.00%)
• common: 132 Bytes (0.00%)

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

[metamaskbot]

Builds ready [cee0470]

• builds: chrome, firefox
• builds (beta): chrome
• builds (flask): chrome, firefox
• builds (MMI): chrome, firefox
• builds (test): chrome, firefox
• builds (test-flask): chrome, firefox
• build viz: Build System
• mv3: Background Module Init Stats
• mv3: UI Init Stats
• mv3: Module Load Stats
• mv3: Bundle Size Stats
• mv2: E2e Actions Stats
• code coverage: Report
• storybook: Storybook
• typescript migration: Dashboard
• all artifacts
• bundle viz:

  • background: 0, 1, 2, 3, 4, 5
  • common: 0, 1, 10, 11, 2, 3, 4, 5, 6, 7, 8, 9
  • content-script: 0
  • offscreen: 0
  • ui: 0, 1, 10, 11, 2, 3, 4, 5, 6, 7, 8, 9

Page Load Metrics (1673 ± 54 ms)

Platform	Page	Metric	Min (ms)	Max (ms)	Average (ms)	StandardDeviation (ms)	MarginOfError (ms)
Chrome	Home	firstPaint	269	2010	1608	326	156
		domContentLoaded	1514	2001	1652	109	53
		load	1523	2009	1673	112	54
		domInteractive	22	64	36	13	6

Bundle size diffs [🚨 Warning! Bundle size has increased!]

• background: 21 Bytes (0.00%)
• ui: 0 Bytes (0.00%)
• common: 132 Bytes (0.00%)

[FrederikBolding]

Hmm, this still makes extension bootup and every other service using the offscreen document dependent on the Ledger iframe. You also would not be able to unlock before 4s has passed or the Ledger iframe loads.

Wondering if we should be emitting a separate event for Ledger and awaiting that in the keyring somewhere not on init as the longer-term solution.

[mikesposito]

I think we should evaluate how useful it is to always add a Ledger keyring to the user's keychain on unlock, even if the user never interacted with a ledger device. If we establish that this is not needed, then as you suggested the best thing to do would be to initialize Ledger only when needed (e.g. when the Keyring is explicitly added by a user), so that we don't have to wait for it before unlocking