• teawrecks@sopuli.xyz
    link
    fedilink
    English
    arrow-up
    3
    ·
    1 year ago

    I don’t like webui’s for lemmy. This means they’re getting all your traffic. It’s a mitm situation again, much like google’s amp links.

    If I’m running a dedicated app, I can validate that my traffic is going directly to my instance and not being farmed and sold by a 3rd party behind the scenes.

    • CuriousGoo@beehaw.org
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Uhh… not clear on what you’re claiming here… you can validate the traffic is going to the expected instance using a web app, without requiring any special software by running Developer tools and heading to the network tab.

      • AnarchoYeasty@beehaw.org
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        1 year ago

        Web front ends currently require a backend service that then routes to your intended destination because Lemmy servers by default are configured with cors to only allow requests from their intended domain. There is a PR to fix it but I don’t believe it’s been merged in. This may be out of date but that was true as of a few weeks ago per the dev of Voyager which is the web frontend I use

        edit: this is no longer true. A PR 2 weeks ago fixed this issue and web front ends are able to work just as well as a native app now.

        • aserraric@discuss.tchncs.de
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          I’ve looked at the traffic, and all calls go directly to the API of my instance. I don’t think Alexandrite even runs a backend.

        • CuriousGoo@beehaw.org
          link
          fedilink
          English
          arrow-up
          0
          ·
          edit-2
          1 year ago

          I see, but how is this different in a phone app? Wouldn’t the request still be made to a backend?

          • AnarchoYeasty@beehaw.org
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            1.) Turns out this is no longer true because the cors issue is fixed as of two weeks ago.

            But to answer your question:

            Well that’s the really silly part about it. You see, the way CORS works is that it only works if the client making the request implements cors. In this case when I say client I’m talking about your web browser itself. Native applications, or hitting an API directly via network calls, don’t implement cors and thus you can make the calls all you want and the server responds. So even when cors was configured to only allow requests from the correct domain it only affected people with web browsers.

            However two weeks ago a PR was merged into the Lemmy source code setting the cors to by default allow requests from anyone instead of a specific domain.

      • anlumo@feddit.de
        link
        fedilink
        English
        arrow-up
        0
        ·
        1 year ago

        That checks it only for the current session, though. The app might do nefarious things only on new moons, or on a specific date. It might also get updated at any point with completely new code without you noticing.

      • teawrecks@sopuli.xyz
        link
        fedilink
        English
        arrow-up
        4
        ·
        1 year ago

        Not only does the app not have to be open source, your don’t even need root access on the device it’s running on. As long as you can see the packets being sent, you can see what servers it’s talking to.

        Not so when going though someone else’ website tho. It does look like there are direct connections to the selected instance happening, but also obviously there is data being sent and received from alexandrite, and there’s no way to know what they’re doing with that info. For all you know, they’re fingerprinting you for Meta. (I don’t think that’s happening, but there’s no way to know).

  • Space Sloth@feddit.dk
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    Using it right now and I’m astounded by how smooth it is. Will be using this for the desktop from now on.

  • Valen@beehaw.org
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    Looks like it’s strictly one server. Too bad I can’t connect to multiple servers and switch between them.

  • freamon@endlesstalk.org
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I’m using it right now on new.endlesstalk.org

    It’s beautiful yes, but it’s also kinda dumb. Lots of page elements (like the community banner and notifications section) need manually refreshing to show anything, and I need to press ‘Go’ after changing view (like Subscribed/All or Hot/New) like the web of ancient times. This may just be how it’s implemented at endlesstalk, but there’s other irritations like not having the option to upload a picture when creating posts, and it not actually doing anything if I change my settings to toggle ‘Show NSFW’

    • Lycan@beehaw.org
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      To be fair, according to the article this project is less than a month old! I’m sure it will continue to improve.

    • darcmage@lemm.ee
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      It looks like that instance isn’t using the most up-to-date version since the “press go” issue has been fixed. Try to keep in mind that the initial commit was on June 24 and it’s still very early in the development stage. If you look at the commits, you can see the developer has been very active.

  • Nitrousoxide@lemm.ee
    link
    fedilink
    English
    arrow-up
    0
    ·
    1 year ago

    This is neat, but I’m not really comfortable putting my password in for a separate front end

  • Uniquitous@lemmy.one
    link
    fedilink
    English
    arrow-up
    0
    ·
    1 year ago

    Wow, that is much nicer. Though I would have settled just for “default opening links in new tabs”