• Redjard
    link
    fedilink
    51 year ago

    Oh, you are almost right, I was wrong. Checking the network traffic it seems images (and some parts of posts?) are fetched directly, but other elements are fetched through wefwef.app, namely everything that needs the users session. maybe this is done to process some lemmy outputs serverside into for example the notification icon? This surprised me, I was confident the only requests to wefwef.app would be static elements and the code itself.

    • @aeharding
      link
      19
      edit-2
      1 year ago

      This is to get around CORS. @[email protected] just fixed CORS on lemmy.world 15 minutes ago (things move fast on Lemmy, lol) so I’ll push an update to direct connect for lemmy.world tonight!

      Edit: done ✅

      • Redjard
        link
        fedilink
        11 year ago

        This is about cors headers on the api calls? That only don’t affect other apps because they are offline and ignore cors?

        • @aeharding
          link
          51 year ago

          Native apps don’t have CORS restrictions. They can make http requests anywhere.

          Only web apps in a browser have this limitation.

          • Redjard
            link
            fedilink
            11 year ago

            Makes sense, never thought about that. An annoying situation, I wonder how many security issues would crop up if browsers allowed ignoring cors for pwas…

            Currently apicalls are proxied through the server but end up with the lient all the same, with the session being stored in local storage “credentials”?
            Will you currate a manual whitelist for direct calls or have the app test if direct fails and fall back to proxied?

            • @aeharding
              link
              31 year ago

              At this point it’s manual. We could do some intelligent detection, but at the pace Lemmy dev is moving, I don’t think it’s worth it. The goal is to rip out the proxy completely once there’s a bit more time for most servers to upgrade, and also https://github.com/LemmyNet/lemmy/issues/3567 is resolved.

            • Redjard
              link
              fedilink
              11 year ago

              Why not add a new tier to pwas. You need to only use cookies scoped to your own domain, you get a new container without any existing session cookies etc. for other websites, but cors is dropped.
              That should prevent carelessly putting auth tokens into cookies and should replace cors in that sensitive sessions are containered away and all existing data for other websites that where slopily created somehow are isolated.

              After all for the way wefwef works for example I see no benefit to cors

      • @[email protected]
        link
        fedilink
        0
        edit-2
        1 year ago

        Hey is it dynamic or you have to add a list of instances to direct connect?

        Update: sorry, just saw your answer below 🤷‍♂️