I blogged about this twice already, but I think it’s worth talking about some more:
When I started out I wanted to recreate the RSS feed reading functionality of Netvibes (which they had just shut down). The idea was that it should run in the browser without needing a server. And I wanted to do that without actually learning JavaScript and at the same time trying “Vibe Coding”. Using Claude.ai and Mistral’s Le Chat just copying and pasting code, I got something usable really fast which was impressive.
What I didn’t realize back then was the need for a CORS proxy, because otherwise a Browser will not be able to display data from multiple sources in JavaScript due to the Same-Origin policy implemented in all modern browsers. So the first attempt already used such a proxy without me being aware of it. The problem with that is that a CORS proxy can see every single request sent through it. So one lesson I learned regarding vibe coding: You cannot rely on the code not leaking personal data. In my case this was access tokens for two paid RSS feeds.
When I actually looked at the code (weeks after I had started using it) I found that it channeled all requests through api.allorigins.win which is a public CORS proxy. So I tried to remove this myself, but failed because I just didn’t really understand why this was necessary.
Then I read about Claude Code and simply had to try it. One of the first thinks I asked it was to remove that dependency on a CORS proxy. That was when I told me that it is not possible and only then did I look up the above mentioned Wikipedia articles. It suggested that I run my own private CORS proxy and helpfully provided some php code for that. I put this code on my Linux based home server and with some debugging help from Claude Code got it to work.
I continued to improve the reader code until I was mostly satisfied with it and then realized that the current setup would only work when I was connected to my home LAN/WIFI, which was a pity because I regularly work for a week or two from one holiday flat or another, where I usually don’t bother with a VPN to my home LAN.
So I asked Claude Code whether I could run that proxy on my home page server since that already uses WordPress which is PHP based. In short, this is possible but a potential security risk because then somebody else could use that proxy for some nefarious purpose and I would be the one who would be blamed for it. It offered several possible solutions, one of them being a VPN. What it didn’t offer was adding authentication to that server, that was my own idea. So I asked it to add code to the PHP script to use basic authentication (username and password). It did that but added the username and password to the script. (Note to vibe coders: No that’s not a good idea at all! You will sooner or later end up putting that script into some public repository which will then leak that information.) So I had to ask it to move this information to a separate file which I will only put on the server. With some more debugging help from Claude Code I managed to get the CORS proxy up and running. While I kept the original public proxy as the default, I had it add a configuration for a custom proxy, which I am now using with my private proxy.
I then realized that I had not yet taken mobile browsers into account and tried to use the RSS reader on my smart phone. It was unusable. I instructed Claude Code to fix that and I got a working version pretty fast. I also let it tweak the UI some more to improve usability.
I really like the result. As I said before: You can try it yourself by either opening the rssshow.html file from the SubVersion repository or by opening it on rssshow.dummzeuch.de. And if you know JavaScript better than I (you probably do if you have ever done anything with it) I invite you to have a look and tell me what you think (through Mastodon or Delphi Praxis, see below). The same goes for the CORS proxy PHP code which is available in the repository too.
Discussion about this topic in the corresponding post in the international Delphi Praxis forum.