As it is said in EIP-1102, this standard is meant to prevent a dapp would gain an ability to have access to user's accounts via the ethereum provider without their permission. For the sake of it an eth_requestAccounts method was defined, which should return a promise, and the latter will either be resolved with an array of accounts or be rejected with an error if, for example, the user denies access.
Metamask claims it is in line with this standard. However, I found that it does not require any user confirmation of reading their account. Specifically, this line of code just results in a promise resolved with the user's account. No user interface would be triggered meanwhile:
ethereum.request({ method: 'eth_requestAccounts' })
The consent will be requested only when the dapp trys to use this account to send a transaction.
Any thought on why did Metamask choose this way, which is allegedly contrary to the EIP-1102?
Best Answer
MetaMask is in line with this approach, it asks at first to the user to allow app (domain) to access their accounts, and then it asks for confirmation for each transaction sent. For the allowance it just ask once at the beginning for each domain, though.
Are you testing this on a site you already approved the address for?
If so, select the account, click the tree vertical dots on the top-right, select "connected sites". A list appears, and from there you can remove permission for each previously allowed site.