All the network traffic from that browser is routed through a server. My IP inside that browser was in India and on CloudFlare network. I don’t particularly trust Puter. Why not route traffic through my actual browser?

Because the web browser can't make arbitrary network connections. Even if it was implemented intercepting at the HTTP layer (which would probably be much more difficult than just intercepting the low level socket operations) you wouldn't be able to properly manage CORS headers, cookies and various other things.

>Why not route traffic through my actual browser?

Because you can't. Not even an Extension is able to. Browsers don't want you to bypass their content enforcement. I wish we had at least one hacker friendly browser.

Extensions can't, correct but I wanted to bring up a special case regarding this

Isolated web apps a chrome feature for developing apps that run in chromium based on HTML (but tbh only really used in Chromebooks) do support raw TCP sockets so if this was ported to an IWA you could have Firefox on a Chromebook without an external server needed.

Chromium CEF could also embed the Puter proxy inside it too as a standalone application. No luck on Mobile though.

No, it is possible with extensions.

Extensions can inject headers, such as Access-Control-Allow-Origin: *, to unblock cross-origin requests. In the Manifest V3 context, however, that might require patching window.fetch and window.XMLHttpRequest.

For example,

  // content.js
  window.fetch = async (...args) => {
    const request = args[0] instanceof Request ? args[0].url : args[0]
    const config = args[1] || {}

    return new Promise((resolve, reject) => {
      chrome.runtime.sendMessage({ action: "proxyFetch", request, config }, response => {
        if (response.error) {
          const err = new Error(response.error.message)
          err.name = response.error.name
          err.stack = response.error.stack
          if (response.error.cause) err.cause = response.error.cause
          reject(err)
        } else {
          const base64Data = response.dataUrl.split(",")[1]
          const bytes = Uint8Array.from(atob(base64Data), c => c.charCodeAt(0))
          const contentType = response.headers["content-type"] || "application/octet-stream"
          const blob = new Blob([bytes], { type: contentType })

          const status = response.status
          const statusText = response.statusText
          const headers = new Headers(response.headers)
          const body = status === 204 || status === 205 || status === 304 ? null : blob
          resolve(new Response(body, { status, statusText, headers }))
        }
      })
    })
  }

  // Background.js
  chrome.runtime.onMessage.addListener((message, sender, sendResponse) => {
    if (message.action === "proxyFetch") {
      fetch(message.request, message.config)
        .then(async res => {
          const headers = Object.fromEntries(res.headers.entries())
          const blob = await res.blob()
          const reader = new FileReader()
          reader.onloadend = () =>
            sendResponse({ status: res.status, statusText: res.statusText, headers, dataUrl: reader.result })
          reader.readAsDataURL(blob)
        })
        .catch(err => {
          const { name, message, code, stack } = err
          sendResponse({ error: { name, message, code, stack } })
        })

      // Keeps the message channel open for the async fetch
      return true
    }
  })

This is a cors bypass but part of this demo is that it's full Firefox including TLS support. Using this still means intercepting all requests in an inspectable medium and does defeat part of the point

This isn't enough for every website to load normally.

> Browsers don't want you to bypass their content enforcement

I for one am happy that browsers dont let any random web page i visit port scan my internal network.

No one said any site should. Letting a site you control do it is a perfectly valid user choice. Otherwise people are stuck going through third-party proxies which is far worse.

The TCP proxy exit node we're using is running on Cloudflare, you can check that your traffic is still TLS encrypted by OpenSSL (also compiled to webassembly). The browser does not have a native API to send raw TCP so the proxying is done by the http://github.com/MercuryWorkshop/wisp-protocol protocol. You can check your packets in dev tools, look for a socket connection with "puter.cafe" as the host for our TCP proxy. This application is meant to be a demo for it actually (why it says at the bottom that its powered by puter networking). That is the only server side component of this.

I was reading your landing page at https://developer.puter.com/networking/ and was very confused by how you were achieving the "with no server or proxy" part, until much further down the page:

> "the connection is tunneled over a single WebSocket to a Puter relay"

Come on, it's both a server and a proxy, and it doesn't stop being those things just because you're calling it a relay.

I wrote that and I think you're right. We were trying to convey that you don't need to set up anything, but the wording could definitely be better. I'll change it.

apologies yes there is a wording error here, the correct wording is no CORS proxy, the reason why this is important is because cors proxies are inherently insecure (this is different because the TLS is done in your browser with a webassembly library).

no servers is referring to you not needing to host servers in the same as the term "serverless". Such is the ways of modern tech terms I fear

Seems easy to fix it and say 'no CORS proxy' and 'no need to host your own server'. It was very confusing to me too.

You are definitely right, going to see if I can talk to the relevant person to fix the wording on it

Puter's networking is open-source and e2e encrypted. Also, a regular browser doesn't give access to raw TCP sockets used for this, so it wouldn't be possible to route through your browser.

So it's just the three accounts you have now? (Show by @coolelectronics now and 7 months ago [1], show from you/@ent101 2d ago [0], 2025[2,3,4], 2024[5,6,7,8,9,A,B,C,D], 2023[E], @george0812 2022[F])

[0]: https://news.ycombinator.com/item?id=48895945

[1]: https://news.ycombinator.com/user?id=coolelectronics

[2]: https://news.ycombinator.com/item?id=45522061

[3]: https://news.ycombinator.com/item?id=44193514

[4]: https://news.ycombinator.com/item?id=42675696

[5]: https://news.ycombinator.com/item?id=41849494

[6]: https://news.ycombinator.com/item?id=41682779

[7]: https://news.ycombinator.com/item?id=41360683

[8]: https://news.ycombinator.com/item?id=41040761

[9]: https://news.ycombinator.com/item?id=40802253

[A]: https://news.ycombinator.com/item?id=39829463

[B]: https://news.ycombinator.com/item?id=39672886

[C]: https://news.ycombinator.com/item?id=39597030

[D]: https://news.ycombinator.com/item?id=39036897

[E]: https://news.ycombinator.com/item?id=38202220

[F]: https://news.ycombinator.com/item?id=31611016

what do you mean? we're a team of 10 and have 390 contributors. We post regularly, including me.

The 21 on github, do you mean? And only nine above 3 commits ever? Yes you post regularly, too much even, and in the face of the guideline Please don't use HN primarily for promotion

nobody (hyperbole, corrected: few) follows that promotion rule. and where are you getting 21 from? the github repo https://github.com/HeyPuter/puter says 391 contributors, subtract maybe a few for bots

also, talk about posting too much? look at your own submissions page

Yep, you're right, that was on browser.js, not the whole repo (19 above 6 commits, out of 391)

I think it's either an automated account or just karma-farming at the highest level lol

Why are you being so hostile?

[deleted]

this should be documented with highlight to prevent anyone trying to leak some personal information.

i never did some wasm but seems it runs quite fast on my macmini m1