Thread - Nostr Hypermedia

Could it be possible to improve user retention by making Nostr web apps work **without** a browser extension? Help me test this vision by uploading your static (nostr) websites at https://44billion.net. Sign in/up then click on the (n)app icon with a big "N" (a Napp store) where you can upload them. Hint: Before uploading, you could add some code to your napps to support auto-login. You just need to get the logged-in user's pubkey on load by calling `const userPk = await window.nostr.peekPublicKey()`, which returns the pubkey without prompting the user.

Replies (12)

arthurfranca 1 month ago

Known Issues: You won't be able to create an account if using Firefox, Safari < 18 or Bitwarden extension (

GitHub

bitwarden/clients

Bitwarden client apps (web, browser extension, desktop, and cli). - bitwarden/clients

because they don't fully support passkeys. I don't have a recent Apple device to test on Safari >= 18.

npub1g53m...drvk 1 month ago

Browser extensions are more secure than a web app that is loaded dynamically from a server? Browser or even OS level integration would be best.

2 replies ↓

npub1g53m...drvk 1 month ago

On the other hand, if you don't have an extension, it's safer to give your nsec to only 1 website instead of 10...

arthurfranca 1 month ago

This platform is different. 1) The web app is loaded client side, doesn't touch the server 2) The nsec is handled by this github page https://github.com/44Billion/44b-vault, loaded on an iframe, that runs exactly the same open-source code on the repo. 44billion.net has no direct access to the nsec. It lives as a passkey on the device's secure element. Soon uses will be able to switch to their own 44b-vault fork.

1 replies ↓

npub1g53m...drvk 1 month ago

You still have to trust 44billion.net which hosts it (and DNS + CAs) — it could change the app that it serves

2 replies ↓

npub1g53m...drvk 1 month ago

If Github is to be used as a trusted source, it's best to host the whole UI from there. The other domains could always make it not use Github and re-prompt your nsec, or use it in a manner you did not authorize etc. That said, it's a cool project — nostr apps would benefit from OS / browser level integration that takes care of key management, event storage and relay connections without every app having to do it.

1 replies ↓

Garbage nsec garbagensec@NostrAddress.com 1 month ago

Yes. Open-source code is meaningless in context of web apps, be it loading in iframes or anywhere else. It's never anything more than "I promise that this is the code that is loading there at this time".

1 replies ↓

arthurfranca 1 month ago

> [...] The other domains could always make it not use Github and re-prompt your nsec [...] I'm sure you know it but just to make it clear for future readers, the browser automatically isolates passkey storage (and storage in general) by domain. If 44billion.net changes the login iframe to a malicious url, the nsecs won't be there. Nothing bad happens per se.

arthurfranca 1 month ago

Atleast on a browser you can right click and inspect the code and networking. Can't say the same about native apps =]~

1 replies ↓

Garbage nsec garbagensec@NostrAddress.com 1 month ago

In a browser context that's just inspection theatre though, more comfort than any semblance of certainty.

𝐒𝐧@𝐱 _@lifelog.be 1 month ago

#asknostr

Ben f 0 months ago

I got on nostr after a year and apparently you can't just put your nsec into websites anymore. Has to be a browser extension. Not everyone really cares about nsecs