Doing it right means that just because you can do something it does not mean that it is the right thing. In the case of this app, it was a deliberate design choice to build it as it is and we are planning to make it into a desktop app soon in order to make it easier for people to use it and benefit from the features we have worked so hard to implement.
There is a clear trust problem with browser extensions but I will argue that this is even more so for desktop applications due to the extended access permissions they get. For example, our chrome extension can send requests bypassing the same origin policy but beyond that it is safe as it will not read or, even worse, encrypt your files and photos due to malware. Postman is a desktop app these days so you trust that the developers are doing the right thing to protect their update channel but should you really? Transmission.app was compromised easily it seems so why not Postman (as an example of a tool solving similar problem)?
My point is that somewhere someone needs to trust the software and in my professional opinion the browser security model is far superior than what you get with desktop apps so the choice from my perspective is easy.
Bridging the two worlds sounds to me at least a logical conclusion but there have to be compromises from either side.
I agree it was a deliberate design choice and one that is supported by technical rationals. In the current form of presentation, based on this thread I'm not sure there are strong 'sales' rationales supporting the design decision (and here design is not just technical).
Might be useful to go through the exercise of creating some hypothetical users.
Doing it right means that just because you can do something it does not mean that it is the right thing. In the case of this app, it was a deliberate design choice to build it as it is and we are planning to make it into a desktop app soon in order to make it easier for people to use it and benefit from the features we have worked so hard to implement.
There is a clear trust problem with browser extensions but I will argue that this is even more so for desktop applications due to the extended access permissions they get. For example, our chrome extension can send requests bypassing the same origin policy but beyond that it is safe as it will not read or, even worse, encrypt your files and photos due to malware. Postman is a desktop app these days so you trust that the developers are doing the right thing to protect their update channel but should you really? Transmission.app was compromised easily it seems so why not Postman (as an example of a tool solving similar problem)?
My point is that somewhere someone needs to trust the software and in my professional opinion the browser security model is far superior than what you get with desktop apps so the choice from my perspective is easy.
Bridging the two worlds sounds to me at least a logical conclusion but there have to be compromises from either side.