
Show HN: JSFiddle for HTTP requests - _pdp_
https://rest.secapps.com/f/EMJL
======
fiatjaf
Requires a Chrome Extension? That's too much for me.

~~~
_pdp_
For all practical reasons, web apps cannot bend the rules of same origin
policy. As a result of this the browser extension is required to fill the gap.
The extension itself is idle unless used so there is no performance hit
whatsoever. In terms of privacy, the extension only hooks itself in our own
web pages and nowhere else so in theory it is less invasive then adblock plus
or pretty much any other standard browser extension these days.

So while this is annoying we have to either use this or package the whole app
with Electron or something which I believe will be less useful for the
majority of people.

As a side note, future version can be backed by our own proxy so that you
don't have to install any browser extension but unfortunately you will loose
some of the flexibility such as testing local web apps.

~~~
brudgers
Just a thought, the friction using Electron _might_ create for the vast
majority of people in the _future_ is preconditioned on potential early
adopters trying it _now._ The feedback here from potential early adopters is
that installing an extension to allow violating same origin policy is
_blocking_ consideration.

On the one hand, a browser extension may be the simplest thing that might
work. And it probably would work if there was an established relationship of
trust (and probably why it works for your team). Out beyond the bounds of your
team, there is no basis for trust and installing a browser extension that goes
around browser security doesn't make much sense when people have not yet seen
a reason why they should use the site.

It's worth noting that JSFiddle does not require a browser extension to allow
unsafe behavior and the comparison may set expectations that cannot be readily
met.

Finally, people might be more engaged and therefore likely to install the
extension if the link was to a landing page that explained what the product
is, provided technical details of how it works, provided technical details of
the extension, and provided examples of successful use before they were taken
to the interactive demo...if the demo ran in a sandbox on your server without
an extension that would be even better.

Well, I said 'finally' but I took one more look at the site and the names of
the people getting shoutouts do not inspire trust in an extension that wants
to circumvent same origin policy. They may be nice people and white hats, but
how would I know?

Good luck.

~~~
_pdp_
Thanks for the feedback. A desktop app is certainly something we are
considering but we want to do it right hence why we have not released one just
yet.

In terms of the shouts - this is just a joke :)

~~~
brudgers
The insider joke sort of raises a question about who the product is built
for...which is probably a central theme of my earlier comment. Installing a
Firefox extension solves the developer's technical problem but does so before
it is clear to a _potential_ user that it might possibly in theory solve one
of their problems.

It is worth considering what "doing it right" might mean. From a business and
technical perspective, these are could be different things: e.g. the shiny
code award versus improving business metrics.

~~~
_pdp_
Again, appreciate your feedback.

Doing it right means that just because you can do something it does not mean
that it is the right thing. In the case of this app, it was a deliberate
design choice to build it as it is and we are planning to make it into a
desktop app soon in order to make it easier for people to use it and benefit
from the features we have worked so hard to implement.

There is a clear trust problem with browser extensions but I will argue that
this is even more so for desktop applications due to the extended access
permissions they get. For example, our chrome extension can send requests
bypassing the same origin policy but beyond that it is safe as it will not
read or, even worse, encrypt your files and photos due to malware. Postman is
a desktop app these days so you trust that the developers are doing the right
thing to protect their update channel but should you really? Transmission.app
was compromised easily it seems so why not Postman (as an example of a tool
solving similar problem)?

My point is that somewhere someone needs to trust the software and in my
professional opinion the browser security model is far superior than what you
get with desktop apps so the choice from my perspective is easy.

Bridging the two worlds sounds to me at least a logical conclusion but there
have to be compromises from either side.

~~~
brudgers
I agree it was a deliberate design choice and one that is supported by
technical rationals. In the current form of presentation, based on this thread
I'm not sure there are strong 'sales' rationales supporting the design
decision (and here design is not just technical).

Might be useful to go through the exercise of creating some hypothetical
users.

------
_pdp_
One of the authors here. Let me know if you have any questions. I would love
to answer them.

~~~
_pdp_
It is a pre-configured fiddle which exploits a vulnerability in Wordpress. The
readme contains some instructions how it works but it is plug and play.

