Re: Recent Changes To Twitter.com Has Broken My App
Thanks everyone. I didn't have all of the information regarding the clickjacking incidents and only saw the effects of the script changes. I agree that the iframe restriction was the best and easiest thing for Twitter to implement. On Feb 15, 12:24 pm, John Adams wrote: > I'm fairly certain we've patched the IE vulnerability, and that it > only affected users on IE6. I'd have to ask our UX team, though. > > -j > > On Feb 15, 2009, at 12:19 PM, Abraham Williams wrote: > > > > > > > Supposedly there are a couple of methods of blocking Twitters > > JavaScript but I can't find the page anymore. My recollection is > > they mostly relied on vulnerabilities in IE... Kind of ironic > > actually. I would not recommend this method as it probably could get > > you banned from Twitter. > > > On Sun, Feb 15, 2009 at 12:11, John Adams wrote: > > > Actually, forcing an app to use the API is better for Twitter. You > > get the data directly, and the system doesn't spend any time > > rendering the HTML. Less data from us = less time tying up server > > resources. > > > There's no reason why you can't write a small amount of code to > > fetch a user's Tweets and display them in an IFRAME in the same way > > that you've described, with your site as the IFRAME's source. > > > There were few options to defend against clickjacking. Denying > > IFRAMEs and preventing authenticated sessions from opening in them > > (when part of another page) was our best defense. > > > -john > > > On Feb 15, 2009, at 8:18 AM, Shannon Whitley wrote: > > > I hope Twitter will reconsider these changes. With My Tweeple, I was > > able to provide a preview of a user's updates by displaying the page > > in an iframe. It was very convenient for the user to review someone's > > tweets before deciding to follow someone. It also appears that > > Twummize.com no longer works (one of my favorite simple mashups of > > Twitter and Twitter Search). Forcing an app to hit the API to > > recreate a page that already exists on Twitter.com seems like a bad > > thing for Twitter. > > > On Feb 13, 3:10 pm, Cameron Kaiser wrote: > > Because if the click-jacking incident yesterday it seems you've added > > > something like: > > > // > > > Which I guess fixes the click-jack problem but now our app at > >http://topichawk.com/isbroken because we use an iFrame in a harmless > > way to display tweets. Is there a process to keep our site from being > > treated like a spammer? > > > Twitter doesn't support using s and anything you had working > > before > > was almost certainly by accident. You're going to have to code > > something up > > that queries the API. > > > -- > > > > personal:http://www.cameronkaiser.com/-- > > Cameron Kaiser * Floodgap Systems *www.floodgap.com* > > ckai...@floodgap.com > > -- The faster we go, the rounder we get. -- The Grateful Dead, on > > relativity --- Hide quoted text - > > > - Show quoted text - > > > -- > > Abraham Williams |http://the.hackerconundrum.com > > Web608 | Community Evangelist |http://web608.org > > This email is: [ ] blogable [x] ask first [ ] private. > > Sent from: Madison Wi United States. > > --- > John Adams > Twitter Operations > j...@twitter.comhttp://twitter.com/netik- Hide quoted text - > > - Show quoted text -
Re: Recent Changes To Twitter.com Has Broken My App
I'm fairly certain we've patched the IE vulnerability, and that it only affected users on IE6. I'd have to ask our UX team, though. -j On Feb 15, 2009, at 12:19 PM, Abraham Williams wrote: Supposedly there are a couple of methods of blocking Twitters JavaScript but I can't find the page anymore. My recollection is they mostly relied on vulnerabilities in IE... Kind of ironic actually. I would not recommend this method as it probably could get you banned from Twitter. On Sun, Feb 15, 2009 at 12:11, John Adams wrote: Actually, forcing an app to use the API is better for Twitter. You get the data directly, and the system doesn't spend any time rendering the HTML. Less data from us = less time tying up server resources. There's no reason why you can't write a small amount of code to fetch a user's Tweets and display them in an IFRAME in the same way that you've described, with your site as the IFRAME's source. There were few options to defend against clickjacking. Denying IFRAMEs and preventing authenticated sessions from opening in them (when part of another page) was our best defense. -john On Feb 15, 2009, at 8:18 AM, Shannon Whitley wrote: I hope Twitter will reconsider these changes. With My Tweeple, I was able to provide a preview of a user's updates by displaying the page in an iframe. It was very convenient for the user to review someone's tweets before deciding to follow someone. It also appears that Twummize.com no longer works (one of my favorite simple mashups of Twitter and Twitter Search). Forcing an app to hit the API to recreate a page that already exists on Twitter.com seems like a bad thing for Twitter. On Feb 13, 3:10 pm, Cameron Kaiser wrote: Because if the click-jacking incident yesterday it seems you've added something like: // Which I guess fixes the click-jack problem but now our app at http://topichawk.com/is broken because we use an iFrame in a harmless way to display tweets. Is there a process to keep our site from being treated like a spammer? Twitter doesn't support using s and anything you had working before was almost certainly by accident. You're going to have to code something up that queries the API. -- personal:http://www.cameronkaiser.com/-- Cameron Kaiser * Floodgap Systems *www.floodgap.com* ckai...@floodgap.com -- The faster we go, the rounder we get. -- The Grateful Dead, on relativity --- Hide quoted text - - Show quoted text - -- Abraham Williams | http://the.hackerconundrum.com Web608 | Community Evangelist | http://web608.org This email is: [ ] blogable [x] ask first [ ] private. Sent from: Madison Wi United States. --- John Adams Twitter Operations j...@twitter.com http://twitter.com/netik
Re: Recent Changes To Twitter.com Has Broken My App
Supposedly there are a couple of methods of blocking Twitters JavaScript but I can't find the page anymore. My recollection is they mostly relied on vulnerabilities in IE... Kind of ironic actually. I would not recommend this method as it probably could get you banned from Twitter. On Sun, Feb 15, 2009 at 12:11, John Adams wrote: > > Actually, forcing an app to use the API is better for Twitter. You get the > data directly, and the system doesn't spend any time rendering the HTML. > Less data from us = less time tying up server resources. > > There's no reason why you can't write a small amount of code to fetch a > user's Tweets and display them in an IFRAME in the same way that you've > described, with your site as the IFRAME's source. > > There were few options to defend against clickjacking. Denying IFRAMEs and > preventing authenticated sessions from opening in them (when part of another > page) was our best defense. > > -john > > > On Feb 15, 2009, at 8:18 AM, Shannon Whitley wrote: > > >> I hope Twitter will reconsider these changes. With My Tweeple, I was >> able to provide a preview of a user's updates by displaying the page >> in an iframe. It was very convenient for the user to review someone's >> tweets before deciding to follow someone. It also appears that >> Twummize.com no longer works (one of my favorite simple mashups of >> Twitter and Twitter Search). Forcing an app to hit the API to >> recreate a page that already exists on Twitter.com seems like a bad >> thing for Twitter. >> >> On Feb 13, 3:10 pm, Cameron Kaiser wrote: >> >>> Because if the click-jacking incident yesterday it seems you've added >>> >>> something like: >>> >>> // >>> >>> Which I guess fixes the click-jack problem but now our app at http://topichawk.com/is broken because we use an iFrame in a harmless way to display tweets. Is there a process to keep our site from being treated like a spammer? >>> >>> Twitter doesn't support using s and anything you had working >>> before >>> was almost certainly by accident. You're going to have to code something >>> up >>> that queries the API. >>> >>> -- >>> personal: >>> http://www.cameronkaiser.com/-- >>> Cameron Kaiser * Floodgap Systems *www.floodgap.com* >>> ckai...@floodgap.com >>> -- The faster we go, the rounder we get. -- The Grateful Dead, on >>> relativity --- Hide quoted text - >>> >>> - Show quoted text - >>> >> > -- Abraham Williams | http://the.hackerconundrum.com Web608 | Community Evangelist | http://web608.org This email is: [ ] blogable [x] ask first [ ] private. Sent from: Madison Wi United States.
Re: Recent Changes To Twitter.com Has Broken My App
Actually, forcing an app to use the API is better for Twitter. You get the data directly, and the system doesn't spend any time rendering the HTML. Less data from us = less time tying up server resources. There's no reason why you can't write a small amount of code to fetch a user's Tweets and display them in an IFRAME in the same way that you've described, with your site as the IFRAME's source. There were few options to defend against clickjacking. Denying IFRAMEs and preventing authenticated sessions from opening in them (when part of another page) was our best defense. -john On Feb 15, 2009, at 8:18 AM, Shannon Whitley wrote: I hope Twitter will reconsider these changes. With My Tweeple, I was able to provide a preview of a user's updates by displaying the page in an iframe. It was very convenient for the user to review someone's tweets before deciding to follow someone. It also appears that Twummize.com no longer works (one of my favorite simple mashups of Twitter and Twitter Search). Forcing an app to hit the API to recreate a page that already exists on Twitter.com seems like a bad thing for Twitter. On Feb 13, 3:10 pm, Cameron Kaiser wrote: Because if the click-jacking incident yesterday it seems you've added something like: // Which I guess fixes the click-jack problem but now our app at http://topichawk.com/is broken because we use an iFrame in a harmless way to display tweets. Is there a process to keep our site from being treated like a spammer? Twitter doesn't support using s and anything you had working before was almost certainly by accident. You're going to have to code something up that queries the API. -- personal:http://www.cameronkaiser.com/-- Cameron Kaiser * Floodgap Systems *www.floodgap.com* ckai...@floodgap.com -- The faster we go, the rounder we get. -- The Grateful Dead, on relativity --- Hide quoted text - - Show quoted text -
Re: Recent Changes To Twitter.com Has Broken My App
I have to agree with Cameron. The reality of the situation is that Twitter has provided an official, easy-to-use method for interacting with the site. If they decide to cut off other methods of working with Twitter, that's well within their right. 2009/2/15 Cameron Kaiser : > >> I hope Twitter will reconsider these changes. With My Tweeple, I was >> able to provide a preview of a user's updates by displaying the page >> in an iframe. It was very convenient for the user to review someone's >> tweets before deciding to follow someone. It also appears that >> Twummize.com no longer works (one of my favorite simple mashups of >> Twitter and Twitter Search). Forcing an app to hit the API to >> recreate a page that already exists on Twitter.com seems like a bad >> thing for Twitter. > > Do you dispute, though, that having (possibly an authenticated session of) > Twitter in a dependent iframe was an exploitable insecurity? I'm not sure > how they could have dealt with the problem any other way. > > -- > personal: http://www.cameronkaiser.com/ > -- > Cameron Kaiser * Floodgap Systems * www.floodgap.com * ckai...@floodgap.com > -- Aibohphobia, the fear of palindromes. -- Brian Braunschweiger > -- >
Re: Recent Changes To Twitter.com Has Broken My App
> I hope Twitter will reconsider these changes. With My Tweeple, I was > able to provide a preview of a user's updates by displaying the page > in an iframe. It was very convenient for the user to review someone's > tweets before deciding to follow someone. It also appears that > Twummize.com no longer works (one of my favorite simple mashups of > Twitter and Twitter Search). Forcing an app to hit the API to > recreate a page that already exists on Twitter.com seems like a bad > thing for Twitter. Do you dispute, though, that having (possibly an authenticated session of) Twitter in a dependent iframe was an exploitable insecurity? I'm not sure how they could have dealt with the problem any other way. -- personal: http://www.cameronkaiser.com/ -- Cameron Kaiser * Floodgap Systems * www.floodgap.com * ckai...@floodgap.com -- Aibohphobia, the fear of palindromes. -- Brian Braunschweiger --
Re: Recent Changes To Twitter.com Has Broken My App
I hope Twitter will reconsider these changes. With My Tweeple, I was able to provide a preview of a user's updates by displaying the page in an iframe. It was very convenient for the user to review someone's tweets before deciding to follow someone. It also appears that Twummize.com no longer works (one of my favorite simple mashups of Twitter and Twitter Search). Forcing an app to hit the API to recreate a page that already exists on Twitter.com seems like a bad thing for Twitter. On Feb 13, 3:10 pm, Cameron Kaiser wrote: > > Because if the click-jacking incident yesterday it seems you've added > > > something like: > > > // > > > Which I guess fixes the click-jack problem but now our app at > >http://topichawk.com/is broken because we use an iFrame in a harmless > > way to display tweets. Is there a process to keep our site from being > > treated like a spammer? > > Twitter doesn't support using s and anything you had working before > was almost certainly by accident. You're going to have to code something up > that queries the API. > > -- > personal:http://www.cameronkaiser.com/-- > Cameron Kaiser * Floodgap Systems *www.floodgap.com* ckai...@floodgap.com > -- The faster we go, the rounder we get. -- The Grateful Dead, on relativity > --- Hide quoted text - > > - Show quoted text -
Re: Recent Changes To Twitter.com Has Broken My App
> Because if the click-jacking incident yesterday it seems you've added > > something like: > > // > > Which I guess fixes the click-jack problem but now our app at > http://topichawk.com/ is broken because we use an iFrame in a harmless > way to display tweets. Is there a process to keep our site from being > treated like a spammer? Twitter doesn't support using s and anything you had working before was almost certainly by accident. You're going to have to code something up that queries the API. -- personal: http://www.cameronkaiser.com/ -- Cameron Kaiser * Floodgap Systems * www.floodgap.com * ckai...@floodgap.com -- The faster we go, the rounder we get. -- The Grateful Dead, on relativity --
Recent Changes To Twitter.com Has Broken My App
Because if the click-jacking incident yesterday it seems you've added something like: // Which I guess fixes the click-jack problem but now our app at http://topichawk.com/ is broken because we use an iFrame in a harmless way to display tweets. Is there a process to keep our site from being treated like a spammer? Thanks! Michael