

Show HN: Drop-In Chat – Chatify your app - ahochhaus
https://dropinchat.com/

======
owenversteeg
WARNING: DO NOT TRY TO CHAT WITH PEOPLE - BAD THINGS WILL HAPPEN - READ BELOW

Uhh, it's possible to inject Javascript into this. There are two people that
already did this. One is harmless and alerts "Wufff!" and the other redirects
you to pornhub.

[edit] Now there's another that redirects you to lemonparty.

[edit 2] Now there's another that redirects you here. It's fun watching this
play out live, with the nice vs. the mean HNers.

~~~
fmavituna
Maybe not everyone knows this, it's called XSS. There is a good cheat sheet to
protect against issues like this from OWASP :
[https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_P...](https://www.owasp.org/index.php/XSS_\(Cross_Site_Scripting\)_Prevention_Cheat_Sheet)

Shameless plug: We develop a tool that detects vulnerabilities such as this
automatically (even in JavaScript based web apps) -
[https://www.netsparker.com/netsparker/](https://www.netsparker.com/netsparker/)

There is also a free community edition which would possibly detect this
vulnerability :
[https://www.netsparker.com/communityedition/](https://www.netsparker.com/communityedition/)

------
misiti3780
Does anyone know a good open-source version of this type of functionality. I
have a client now that wants me to add this to their site but the data cannot
go through a third-party company.

My stack is django-based but I am open to any solution that works well.

~~~
jcbrand
I wrote an open source XMPP-based chat client:
[https://conversejs.org](https://conversejs.org)

There is a Django add-on for it as well: [https://pypi.python.org/pypi/django-
conversejs](https://pypi.python.org/pypi/django-conversejs)

In the latest unreleased version (0.8), you only have to load converse.min.js
and converse.min.css in your HTML.

The 0.8 release should go out within the next few weeks.

------
ioddly
Very nice, I'll be keeping an eye on this. I'm sure you guys have a million
other things to do, but don't forget handling multiple tabs by the same user.

e: Ah, and somebody's already trying to inject javascript. You rascals ;)

~~~
ahochhaus
Thanks for the feedback. Please keep it coming if you think of anything else.
We will be prioritizing what to work on.

------
waitingkuo
I do need a messaging service for my product! Can it be used in production
currently? I'm also curious about whether you provide the video conference api
in the future or not? That would be useful!

~~~
ahochhaus
Hi waitingkuo. Thanks for the encouragement. Currently I wouldn't recommend
using Drop-In Chat in a production context as the code is too new and not
really stable. When we get to the point we think the product is ready for
production use we'll make an announcement.

At this point we do not have plans to add video conferencing support.

------
lostsock
I don't have a use for this right now but it looks like a nice and simple
solution.

Not that I necessarily think I would need to but is it possible for the
webmaster to get logs of the chats?

~~~
ahochhaus
One of the app authors here. We did this for YC hacks and ran out of time (30
hours). At this point we don't store the chats for anything but we plan on
adding that soon. At that point, the admin should be able to search.

Please let us know if we can do anything to improve the app for a possible use
case for you.

~~~
lostsock
The only thing I can think of right now would be a way to theme it. Just being
able to change the colour of the solid bar would be nice.

~~~
ahochhaus
Thanks! We will add CSS styling to the configuration options in the DIC
variable. Let us know if you think of anything else.

------
ahochhaus
Sorry for the XSS problems. They are fixed now so it is safe to visit and test
again if you like. Thanks owenversteeg for warning everyone.

------
slig
This is awesome. I've been searching for a SaaS chat widget like this for
years.

Any ideas on pricing?

~~~
ahochhaus
For the time being we are going to keep this completely free to gauge
interest. At some point we would likely charge, but at this point don't have
solid plans about what the pricing would look like. Sorry I can't be more
precise.

------
svaldez
Is this similar to [http://gochat.us/](http://gochat.us/) ?

------
misrab
Hehe built something like this as a small project a while ago for
fun...interlude.im

~~~
ahochhaus
Hi, I just checked out interlude. Cool project.

I think the intent of our app is slightly different than yours. Our hope was
to allow users of authenticated web applications to chat with one another. Our
demo is misleading in this regard as all visitors to dropinchat.com get
dropped into a single "chat group" (we din't want users to need to register in
order to try it out). We think that apps this product might work well with are
enterprise style collaborative applications (where users are already
authenticated).

~~~
misrab
Fair enough :) Good luck!

------
danbucholtz
Very cool app. Needs a little bit of maturing but a really good first step!

~~~
ahochhaus
Thanks for the encouragement. What we have is certainly just a first step. We
will continue to keep making incremental improvements now that YC Hacks is
over.

------
scrollaway
What does this use in the backend? Is this xmpp-based? Is it open source?

~~~
ahochhaus
The back end is golang. The client server messaging protocol is
BrowserChannel/WebChannel.

[https://code.google.com/p/libevent-browserchannel-
server/wik...](https://code.google.com/p/libevent-browserchannel-
server/wiki/BrowserChannelProtocol)

We open sourced the BrowserChannel library here:

[https://github.com/samegoal/wc](https://github.com/samegoal/wc)

And have a chat room demo app here:

[https://github.com/samegoal/wcchat](https://github.com/samegoal/wcchat)

The code we used for this particular site isn't Open Source yet. We are still
trying to figure out what we want to do with it before we make that decision.

~~~
scrollaway
Good luck with it. I hope you open source it.

Would you be able to give a rationale on why you chose against xmpp?

~~~
ahochhaus
Hi scrollaway. Thanks for the support.

XMPP seems really great in a context of needing to inter-operate with other
servers. However, for our use-case all communication was in a silo of a single
site so this was not a major benefit to Drop-In Chat.

Our team wants broad broad browser support (for legacy corporate deployments)
and a well-tested client side module. BrowserChannel, which is used for gmail
chat, is very widely deployed and well tested.

Maybe I'm missing something, but even if we went with XMPP, wouldn't Drop-In
Chat still need a way to stream messages from the server to the client? If so,
we would still need to rely on a transport mechanism like websockets/XHR
streaming/forever iframes for the in-browser real time message delivery.
BrowserChannel/WebChannel bundles up this abstraction nicely and hides all the
ugliness of dealing with browser quirks for streaming message delivery.

~~~
scrollaway
Sure, but BrowserChannel is only relevant on the client. What about the
server? Using XMPP would allow for external clients to connect for example.

~~~
ahochhaus
I agree. If at some point dropinchat.com allowed for messaging between
networks XMPP support would be great to add. At this point we only allowing
for messaging other drop in chat users so no such protocol is needed. My only
point was that we didn't "reinvent the wheel" by not using XMPP. Instead we
just don't allow cross network messaging yet.

------
chatango
Do you guys know about [https://chatango.com](https://chatango.com) ? It's a
more mature product, also based on Go backend. Founder here, so please ask any
questions.

~~~
ahochhaus
I looked at chatango and I think the intended use case is a bit different than
dropinchat. Drop-in chat provides user-to-user instant messaging. As best I
can tell, chatango (primarily?) provides broadcast style communication. Is
this correct?

~~~
chatango
Chatango is primarily focused on group chats, but you can send private
messages as well. Dropinchat.com mentions "chat groups". Are they only for
user-to-user messages?

~~~
ahochhaus
At this point dropinchat.com does not support sending messages to more than
one user. However, we do plan to add that feature as our team has time.

The documentation on dropinchat.com mentions "groups" as a set of users which
are allowed to see one another and message back and forth. Our team thinks
this use case might be helpful, for example, for a website administrator to
limiting communication between members on a given organizational team or
individuals in a certain building, etc.

