Nostr Web Client

Big news Nostr fam: the Primal Remote Signer is here! 🫡

We just released Primal 2.6, which includes a NIP-46 remote signer built into our iOS and Android apps. Now you can use your Primal mobile app to login to any Nostr app that supports the remote login (a.k.a. nsec bunker) standard. IMHO this is the easiest and most secure way to login to Nostr web apps.

Check out Paul’s overview video below. We had to do some crazy stuff to make this work on iOS. Overall this was way harder to build than we anticipated. Try it and let us now how it hits!

https://blossom.primal.net/bff3c129e4dbd895b2373b51cf83ea6545f2fedf285cc8371e5e2f3ccad35718.mp4

mfostr 3h ago

Is the iOS remote signer going to be open source?

mfostr 3d ago

https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-13

mfostr 3d ago

Immutable Democracy! 🗳️🔏

https://youtu.be/g0nnM5_Z90E

mfostr 4d ago

https://blossom.primal.net/b28903af828b13bf054a8a533d7f0c3617a56346b711bd87cbbcd00d0c4b0c1a.mov

mfostr 6d ago

C2PA https://C2PA.org uses CAWG https://cawg.io/ for identity, I am moving towards building prototypes that map context with JSON-LD to CAWG Context https://cawg.io/identity/1.1/ica/context/ for Nostr and bridging it to ProofMode https://ProofMode.org for interoperability.

https://proof-chain.pages.dev/

Replying to

mfostr

Correct, postMessage is the way to keep the contexts separate. You can do the same with OPFS, it’s got some added features with a hidden context by default and is highly performant. You can also back up your signed nostr event notes in an SQLite DB and pin other SHA256 addressable notes via local cache.

https://primal.net/e/1cb0612ff42762b7639e64b641319229d4e7848a4228331f6f27f27fa6c248cd

client.com (page)

│

│ postMessage (cross‑origin, sandbox‑safe)

▼

vault.com (iframe)

│

│ postMessage (same‑origin, internal)

▼

vault Worker (isolated agent)

│

├── OPFS (Origin Private File System)

└── IndexedDB

mfostr 2w ago

This is the way!

https://youtu.be/LaiN63o_BxA

Replying to

bigmarh

The key detail you might be missing is that NostrPass executes in a Worker, not in the main page context. So in NOstrpass it goes client -> vault -> worker. The worker has it's own context and isn't callable from the extension.

mfostr 2w ago

Correct, postMessage is the way to keep the contexts separate. You can do the same with OPFS, it’s got some added features with a hidden context by default and is highly performant. You can also back up your signed nostr event notes in an SQLite DB and pin other SHA256 addressable notes via local cache.

https://primal.net/e/1cb0612ff42762b7639e64b641319229d4e7848a4228331f6f27f27fa6c248cd

client.com (page)

│

│ postMessage (cross‑origin, sandbox‑safe)

▼

vault.com (iframe)

│

│ postMessage (same‑origin, internal)

▼

vault Worker (isolated agent)

│

├── OPFS (Origin Private File System)

└── IndexedDB

Replying to

bigmarh

I like the Idea of OPFS for sure, context is what matters.

mfostr 2w ago

🙌 Absolutely, I agree 1000% percent, context is everything!

Replying to

gandlaf21

It's kinda insane that we've built the incentive structures of business in a way that are designed to fuck over the user/consumer.

How nice would it be if you could just trust a company to do the right things, and is not gonna extract and sell every last drop of data from you?

I might even consider running non-opensource software.

But in this precedent, no way.

you have to assume they are trying to fuck you.

A sad symptom of fiat money, or how did we end up here?

mfostr 2w ago

Greed.

Replying to

mfostr

I’m trying to wrap my head around the differences between using IndexedDB, OPFS, and SQLite in your scenario. I’ve been researching the idea of running an isolated iFrame on client.com for vault.com and passing data between the two origins via postMessage. In that setup, is there anything in NostrPass that prevents rogue extension