Wire-webapp: Is Access-Control-Allow-Origin Header still an issue in 2017?

Created on 27 Apr 2017  路  10Comments  路  Source: wireapp/wire-webapp

Referring to #294
Please instruct whether it is now possible to use webapp on a non-wire domain. If not, this would be defeat the whole purpose of a project - no?

Most helpful comment

@raphaelrobert @priiduzilmer I've responded on Medium where the CTO states: "Wire鈥檚 users can now build their own client from our source code and run it on our platform"

I am now puzzled by the response above.

All 10 comments

I seem to be able to login successfully from a Localhost. Just wondering what are the limitations.

@segahm, your question is valid and tough at the sime time.

The current limitation (when using our production backend from a localhost) is that you will not be able to refresh the access token, so _schedule_token_refresh will fail and you will get logged out on your browser.

I am forwarding your question to our Head of Security, @raphaelrobert.

@raphaelrobert nice to meet you. How should I treat what @bennyn is describing? As a bug, a security feature, or something else? Thanks

Sorry for the late reply. The limitation mentioned in #294 is still in place for now.
This is a security feature, in that the CORS prevents access from other websites. Unfortunately that includes self-hosted versions as well.

Hmm. @raphaelrobert @bennyn please advise how I should proceed then.

I am building a product on top of Wire Webapp chat client, with the hope of registering my users in your network. Likewise, relying on your server. This is something I previously successfully prototyped on Telegram.

So far, the refresh access token is my only roadblock. I hypothesize that I have a workaround. But if the inability to refresh access token is not a bug but an intentional feature, I don't want to go about hacking together a solution that will be blocked down the road by the server.

Please help. Thank You. You can reach me at:
"first name" at "domain of the company I work for"

When modifying Wire clients and connecting to our servers, our Terms of Use apply, in particular section 6.4. Please be mindful of that.

Our server API is not publicly documented and we reserve the right to change it without prior notice. Going forward it will be possible to self-host the Wire backend. In the meantime our bot API is maybe more suited for your needs.

@priiduzilmer can you chime on this. The above is not very encouraging from the standpoint of an open source developer team putting its time and money.

@segahm The Wire servers are simply not suited to build third-party services on top of it, that's the reason we don't allow it.
As I mentioned, the bot API was designed specifically with that objective.
If you would like to describe in more detail what you are trying to build, feel free to write to Wire Support and we can look into it further.

@raphaelrobert @priiduzilmer I've responded on Medium where the CTO states: "Wire鈥檚 users can now build their own client from our source code and run it on our platform"

I am now puzzled by the response above.

Closing due to inactivity. Concerns are being addressed step by step.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

ghost picture ghost  路  3Comments

0xdade picture 0xdade  路  5Comments

zenitraM picture zenitraM  路  5Comments

fortran77 picture fortran77  路  4Comments

maximbaz picture maximbaz  路  4Comments