For all practical reasons, web apps cannot bend the rules of same origin policy. As a result of this the browser extension is required to fill the gap. The extension itself is idle unless used so there is no performance hit whatsoever. In terms of privacy, the extension only hooks itself in our own web pages and nowhere else so in theory it is less invasive then adblock plus or pretty much any other standard browser extension these days.
So while this is annoying we have to either use this or package the whole app with Electron or something which I believe will be less useful for the majority of people.
As a side note, future version can be backed by our own proxy so that you don't have to install any browser extension but unfortunately you will loose some of the flexibility such as testing local web apps.
Just a thought, the friction using Electron might create for the vast majority of people in the future is preconditioned on potential early adopters trying it now. The feedback here from potential early adopters is that installing an extension to allow violating same origin policy is blocking consideration.
On the one hand, a browser extension may be the simplest thing that might work. And it probably would work if there was an established relationship of trust (and probably why it works for your team). Out beyond the bounds of your team, there is no basis for trust and installing a browser extension that goes around browser security doesn't make much sense when people have not yet seen a reason why they should use the site.
It's worth noting that JSFiddle does not require a browser extension to allow unsafe behavior and the comparison may set expectations that cannot be readily met.
Finally, people might be more engaged and therefore likely to install the extension if the link was to a landing page that explained what the product is, provided technical details of how it works, provided technical details of the extension, and provided examples of successful use before they were taken to the interactive demo...if the demo ran in a sandbox on your server without an extension that would be even better.
Well, I said 'finally' but I took one more look at the site and the names of the people getting shoutouts do not inspire trust in an extension that wants to circumvent same origin policy. They may be nice people and white hats, but how would I know?
Thanks for the feedback. A desktop app is certainly something we are considering but we want to do it right hence why we have not released one just yet.
The insider joke sort of raises a question about who the product is built for...which is probably a central theme of my earlier comment. Installing a Firefox extension solves the developer's technical problem but does so before it is clear to a potential user that it might possibly in theory solve one of their problems.
It is worth considering what "doing it right" might mean. From a business and technical perspective, these are could be different things: e.g. the shiny code award versus improving business metrics.
Doing it right means that just because you can do something it does not mean that it is the right thing. In the case of this app, it was a deliberate design choice to build it as it is and we are planning to make it into a desktop app soon in order to make it easier for people to use it and benefit from the features we have worked so hard to implement.
There is a clear trust problem with browser extensions but I will argue that this is even more so for desktop applications due to the extended access permissions they get. For example, our chrome extension can send requests bypassing the same origin policy but beyond that it is safe as it will not read or, even worse, encrypt your files and photos due to malware. Postman is a desktop app these days so you trust that the developers are doing the right thing to protect their update channel but should you really? Transmission.app was compromised easily it seems so why not Postman (as an example of a tool solving similar problem)?
My point is that somewhere someone needs to trust the software and in my professional opinion the browser security model is far superior than what you get with desktop apps so the choice from my perspective is easy.
Bridging the two worlds sounds to me at least a logical conclusion but there have to be compromises from either side.
I agree it was a deliberate design choice and one that is supported by technical rationals. In the current form of presentation, based on this thread I'm not sure there are strong 'sales' rationales supporting the design decision (and here design is not just technical).
Might be useful to go through the exercise of creating some hypothetical users.
It seems like the product was built for development and I can track with it generally having an idea of what it solves navigating the site a little. I'm thinking about installing it but it does raise concerns, being fixed in a "haxor" message and the feedback is important. What do you think of http://qkast.com does it address the right perspective?
