Re: Recent Changes To Twitter.com Has Broken My App
Thanks everyone. I didn't have all of the information regarding the clickjacking incidents and only saw the effects of the script changes. I agree that the iframe restriction was the best and easiest thing for Twitter to implement. On Feb 15, 12:24 pm, John Adams j...@twitter.com wrote: I'm fairly certain we've patched the IE vulnerability, and that it only affected users on IE6. I'd have to ask our UX team, though. -j On Feb 15, 2009, at 12:19 PM, Abraham Williams wrote: Supposedly there are a couple of methods of blocking Twitters JavaScript but I can't find the page anymore. My recollection is they mostly relied on vulnerabilities in IE... Kind of ironic actually. I would not recommend this method as it probably could get you banned from Twitter. On Sun, Feb 15, 2009 at 12:11, John Adams j...@twitter.com wrote: Actually, forcing an app to use the API is better for Twitter. You get the data directly, and the system doesn't spend any time rendering the HTML. Less data from us = less time tying up server resources. There's no reason why you can't write a small amount of code to fetch a user's Tweets and display them in an IFRAME in the same way that you've described, with your site as the IFRAME's source. There were few options to defend against clickjacking. Denying IFRAMEs and preventing authenticated sessions from opening in them (when part of another page) was our best defense. -john On Feb 15, 2009, at 8:18 AM, Shannon Whitley wrote: I hope Twitter will reconsider these changes. With My Tweeple, I was able to provide a preview of a user's updates by displaying the page in an iframe. It was very convenient for the user to review someone's tweets before deciding to follow someone. It also appears that Twummize.com no longer works (one of my favorite simple mashups of Twitter and Twitter Search). Forcing an app to hit the API to recreate a page that already exists on Twitter.com seems like a bad thing for Twitter. On Feb 13, 3:10 pm, Cameron Kaiser spec...@floodgap.com wrote: Because if the click-jacking incident yesterday it seems you've added something like: //![CDATA[ twttr.form_authenticity_token = '966f6780e3bb206fe5f451d9ea40407f6532277f'; if (window.top !== window.self) { setTimeout(function() {document.body.innerHTML='';},1);window.self.onload=function(evt) {document.body.innerHTML='';};} //]] Which I guess fixes the click-jack problem but now our app at http://topichawk.com/isbroken because we use an iFrame in a harmless way to display tweets. Is there a process to keep our site from being treated like a spammer? Twitter doesn't support using iframes and anything you had working before was almost certainly by accident. You're going to have to code something up that queries the API. -- personal:http://www.cameronkaiser.com/-- Cameron Kaiser * Floodgap Systems *www.floodgap.com* ckai...@floodgap.com -- The faster we go, the rounder we get. -- The Grateful Dead, on relativity --- Hide quoted text - - Show quoted text - -- Abraham Williams |http://the.hackerconundrum.com Web608 | Community Evangelist |http://web608.org This email is: [ ] blogable [x] ask first [ ] private. Sent from: Madison Wi United States. --- John Adams Twitter Operations j...@twitter.comhttp://twitter.com/netik- Hide quoted text - - Show quoted text -
Re: Recent Changes To Twitter.com Has Broken My App
I hope Twitter will reconsider these changes. With My Tweeple, I was able to provide a preview of a user's updates by displaying the page in an iframe. It was very convenient for the user to review someone's tweets before deciding to follow someone. It also appears that Twummize.com no longer works (one of my favorite simple mashups of Twitter and Twitter Search). Forcing an app to hit the API to recreate a page that already exists on Twitter.com seems like a bad thing for Twitter. On Feb 13, 3:10 pm, Cameron Kaiser spec...@floodgap.com wrote: Because if the click-jacking incident yesterday it seems you've added something like: //![CDATA[ twttr.form_authenticity_token = '966f6780e3bb206fe5f451d9ea40407f6532277f'; if (window.top !== window.self) { setTimeout(function() {document.body.innerHTML='';},1);window.self.onload=function(evt) {document.body.innerHTML='';};} //]] Which I guess fixes the click-jack problem but now our app at http://topichawk.com/is broken because we use an iFrame in a harmless way to display tweets. Is there a process to keep our site from being treated like a spammer? Twitter doesn't support using iframes and anything you had working before was almost certainly by accident. You're going to have to code something up that queries the API. -- personal:http://www.cameronkaiser.com/-- Cameron Kaiser * Floodgap Systems *www.floodgap.com* ckai...@floodgap.com -- The faster we go, the rounder we get. -- The Grateful Dead, on relativity --- Hide quoted text - - Show quoted text -
Re: Recent Changes To Twitter.com Has Broken My App
Actually, forcing an app to use the API is better for Twitter. You get the data directly, and the system doesn't spend any time rendering the HTML. Less data from us = less time tying up server resources. There's no reason why you can't write a small amount of code to fetch a user's Tweets and display them in an IFRAME in the same way that you've described, with your site as the IFRAME's source. There were few options to defend against clickjacking. Denying IFRAMEs and preventing authenticated sessions from opening in them (when part of another page) was our best defense. -john On Feb 15, 2009, at 8:18 AM, Shannon Whitley wrote: I hope Twitter will reconsider these changes. With My Tweeple, I was able to provide a preview of a user's updates by displaying the page in an iframe. It was very convenient for the user to review someone's tweets before deciding to follow someone. It also appears that Twummize.com no longer works (one of my favorite simple mashups of Twitter and Twitter Search). Forcing an app to hit the API to recreate a page that already exists on Twitter.com seems like a bad thing for Twitter. On Feb 13, 3:10 pm, Cameron Kaiser spec...@floodgap.com wrote: Because if the click-jacking incident yesterday it seems you've added something like: //![CDATA[ twttr.form_authenticity_token = '966f6780e3bb206fe5f451d9ea40407f6532277f'; if (window.top !== window.self) { setTimeout(function() {document.body.innerHTML='';},1);window.self.onload=function(evt) {document.body.innerHTML='';};} //]] Which I guess fixes the click-jack problem but now our app at http://topichawk.com/is broken because we use an iFrame in a harmless way to display tweets. Is there a process to keep our site from being treated like a spammer? Twitter doesn't support using iframes and anything you had working before was almost certainly by accident. You're going to have to code something up that queries the API. -- personal:http://www.cameronkaiser.com/-- Cameron Kaiser * Floodgap Systems *www.floodgap.com* ckai...@floodgap.com -- The faster we go, the rounder we get. -- The Grateful Dead, on relativity --- Hide quoted text - - Show quoted text -
Re: Recent Changes To Twitter.com Has Broken My App
Supposedly there are a couple of methods of blocking Twitters JavaScript but I can't find the page anymore. My recollection is they mostly relied on vulnerabilities in IE... Kind of ironic actually. I would not recommend this method as it probably could get you banned from Twitter. On Sun, Feb 15, 2009 at 12:11, John Adams j...@twitter.com wrote: Actually, forcing an app to use the API is better for Twitter. You get the data directly, and the system doesn't spend any time rendering the HTML. Less data from us = less time tying up server resources. There's no reason why you can't write a small amount of code to fetch a user's Tweets and display them in an IFRAME in the same way that you've described, with your site as the IFRAME's source. There were few options to defend against clickjacking. Denying IFRAMEs and preventing authenticated sessions from opening in them (when part of another page) was our best defense. -john On Feb 15, 2009, at 8:18 AM, Shannon Whitley wrote: I hope Twitter will reconsider these changes. With My Tweeple, I was able to provide a preview of a user's updates by displaying the page in an iframe. It was very convenient for the user to review someone's tweets before deciding to follow someone. It also appears that Twummize.com no longer works (one of my favorite simple mashups of Twitter and Twitter Search). Forcing an app to hit the API to recreate a page that already exists on Twitter.com seems like a bad thing for Twitter. On Feb 13, 3:10 pm, Cameron Kaiser spec...@floodgap.com wrote: Because if the click-jacking incident yesterday it seems you've added something like: //![CDATA[ twttr.form_authenticity_token = '966f6780e3bb206fe5f451d9ea40407f6532277f'; if (window.top !== window.self) { setTimeout(function() {document.body.innerHTML='';},1);window.self.onload=function(evt) {document.body.innerHTML='';};} //]] Which I guess fixes the click-jack problem but now our app at http://topichawk.com/is broken because we use an iFrame in a harmless way to display tweets. Is there a process to keep our site from being treated like a spammer? Twitter doesn't support using iframes and anything you had working before was almost certainly by accident. You're going to have to code something up that queries the API. -- personal: http://www.cameronkaiser.com/-- Cameron Kaiser * Floodgap Systems *www.floodgap.com* ckai...@floodgap.com -- The faster we go, the rounder we get. -- The Grateful Dead, on relativity --- Hide quoted text - - Show quoted text - -- Abraham Williams | http://the.hackerconundrum.com Web608 | Community Evangelist | http://web608.org This email is: [ ] blogable [x] ask first [ ] private. Sent from: Madison Wi United States.
Re: Recent Changes To Twitter.com Has Broken My App
I'm fairly certain we've patched the IE vulnerability, and that it only affected users on IE6. I'd have to ask our UX team, though. -j On Feb 15, 2009, at 12:19 PM, Abraham Williams wrote: Supposedly there are a couple of methods of blocking Twitters JavaScript but I can't find the page anymore. My recollection is they mostly relied on vulnerabilities in IE... Kind of ironic actually. I would not recommend this method as it probably could get you banned from Twitter. On Sun, Feb 15, 2009 at 12:11, John Adams j...@twitter.com wrote: Actually, forcing an app to use the API is better for Twitter. You get the data directly, and the system doesn't spend any time rendering the HTML. Less data from us = less time tying up server resources. There's no reason why you can't write a small amount of code to fetch a user's Tweets and display them in an IFRAME in the same way that you've described, with your site as the IFRAME's source. There were few options to defend against clickjacking. Denying IFRAMEs and preventing authenticated sessions from opening in them (when part of another page) was our best defense. -john On Feb 15, 2009, at 8:18 AM, Shannon Whitley wrote: I hope Twitter will reconsider these changes. With My Tweeple, I was able to provide a preview of a user's updates by displaying the page in an iframe. It was very convenient for the user to review someone's tweets before deciding to follow someone. It also appears that Twummize.com no longer works (one of my favorite simple mashups of Twitter and Twitter Search). Forcing an app to hit the API to recreate a page that already exists on Twitter.com seems like a bad thing for Twitter. On Feb 13, 3:10 pm, Cameron Kaiser spec...@floodgap.com wrote: Because if the click-jacking incident yesterday it seems you've added something like: //![CDATA[ twttr.form_authenticity_token = '966f6780e3bb206fe5f451d9ea40407f6532277f'; if (window.top !== window.self) { setTimeout(function() {document.body.innerHTML='';},1);window.self.onload=function(evt) {document.body.innerHTML='';};} //]] Which I guess fixes the click-jack problem but now our app at http://topichawk.com/is broken because we use an iFrame in a harmless way to display tweets. Is there a process to keep our site from being treated like a spammer? Twitter doesn't support using iframes and anything you had working before was almost certainly by accident. You're going to have to code something up that queries the API. -- personal:http://www.cameronkaiser.com/-- Cameron Kaiser * Floodgap Systems *www.floodgap.com* ckai...@floodgap.com -- The faster we go, the rounder we get. -- The Grateful Dead, on relativity --- Hide quoted text - - Show quoted text - -- Abraham Williams | http://the.hackerconundrum.com Web608 | Community Evangelist | http://web608.org This email is: [ ] blogable [x] ask first [ ] private. Sent from: Madison Wi United States. --- John Adams Twitter Operations j...@twitter.com http://twitter.com/netik
Recent Changes To Twitter.com Has Broken My App
Because if the click-jacking incident yesterday it seems you've added something like: //![CDATA[ twttr.form_authenticity_token = '966f6780e3bb206fe5f451d9ea40407f6532277f'; if (window.top !== window.self) { setTimeout(function() {document.body.innerHTML='';},1);window.self.onload=function(evt) {document.body.innerHTML='';};} //]] Which I guess fixes the click-jack problem but now our app at http://topichawk.com/ is broken because we use an iFrame in a harmless way to display tweets. Is there a process to keep our site from being treated like a spammer? Thanks! Michael