Re: Recent Changes To Twitter.com Has Broken My App
Thanks everyone. I didn't have all of the information regarding the
clickjacking incidents and only saw the effects of the script
changes. I agree that the iframe restriction was the best and easiest
thing for Twitter to implement.
On Feb 15, 12:24 pm, John Adams j...@twitter.com wrote:
I'm fairly certain we've patched the IE vulnerability, and that it
only affected users on IE6. I'd have to ask our UX team, though.
-j
On Feb 15, 2009, at 12:19 PM, Abraham Williams wrote:
Supposedly there are a couple of methods of blocking Twitters
JavaScript but I can't find the page anymore. My recollection is
they mostly relied on vulnerabilities in IE... Kind of ironic
actually. I would not recommend this method as it probably could get
you banned from Twitter.
On Sun, Feb 15, 2009 at 12:11, John Adams j...@twitter.com wrote:
Actually, forcing an app to use the API is better for Twitter. You
get the data directly, and the system doesn't spend any time
rendering the HTML. Less data from us = less time tying up server
resources.
There's no reason why you can't write a small amount of code to
fetch a user's Tweets and display them in an IFRAME in the same way
that you've described, with your site as the IFRAME's source.
There were few options to defend against clickjacking. Denying
IFRAMEs and preventing authenticated sessions from opening in them
(when part of another page) was our best defense.
-john
On Feb 15, 2009, at 8:18 AM, Shannon Whitley wrote:
I hope Twitter will reconsider these changes. With My Tweeple, I was
able to provide a preview of a user's updates by displaying the page
in an iframe. It was very convenient for the user to review someone's
tweets before deciding to follow someone. It also appears that
Twummize.com no longer works (one of my favorite simple mashups of
Twitter and Twitter Search). Forcing an app to hit the API to
recreate a page that already exists on Twitter.com seems like a bad
thing for Twitter.
On Feb 13, 3:10 pm, Cameron Kaiser spec...@floodgap.com wrote:
Because if the click-jacking incident yesterday it seems you've added
something like:
//![CDATA[
twttr.form_authenticity_token =
'966f6780e3bb206fe5f451d9ea40407f6532277f';
if (window.top !== window.self) { setTimeout(function()
{document.body.innerHTML='';},1);window.self.onload=function(evt)
{document.body.innerHTML='';};}
//]]
Which I guess fixes the click-jack problem but now our app at
http://topichawk.com/isbroken because we use an iFrame in a harmless
way to display tweets. Is there a process to keep our site from being
treated like a spammer?
Twitter doesn't support using iframes and anything you had working
before
was almost certainly by accident. You're going to have to code
something up
that queries the API.
--
personal:http://www.cameronkaiser.com/--
Cameron Kaiser * Floodgap Systems *www.floodgap.com*
ckai...@floodgap.com
-- The faster we go, the rounder we get. -- The Grateful Dead, on
relativity --- Hide quoted text -
- Show quoted text -
--
Abraham Williams |http://the.hackerconundrum.com
Web608 | Community Evangelist |http://web608.org
This email is: [ ] blogable [x] ask first [ ] private.
Sent from: Madison Wi United States.
---
John Adams
Twitter Operations
j...@twitter.comhttp://twitter.com/netik- Hide quoted text -
- Show quoted text -
Re: Recent Changes To Twitter.com Has Broken My App
I hope Twitter will reconsider these changes. With My Tweeple, I was
able to provide a preview of a user's updates by displaying the page
in an iframe. It was very convenient for the user to review someone's
tweets before deciding to follow someone. It also appears that
Twummize.com no longer works (one of my favorite simple mashups of
Twitter and Twitter Search). Forcing an app to hit the API to
recreate a page that already exists on Twitter.com seems like a bad
thing for Twitter.
On Feb 13, 3:10 pm, Cameron Kaiser spec...@floodgap.com wrote:
Because if the click-jacking incident yesterday it seems you've added
something like:
//![CDATA[
twttr.form_authenticity_token =
'966f6780e3bb206fe5f451d9ea40407f6532277f';
if (window.top !== window.self) { setTimeout(function()
{document.body.innerHTML='';},1);window.self.onload=function(evt)
{document.body.innerHTML='';};}
//]]
Which I guess fixes the click-jack problem but now our app at
http://topichawk.com/is broken because we use an iFrame in a harmless
way to display tweets. Is there a process to keep our site from being
treated like a spammer?
Twitter doesn't support using iframes and anything you had working before
was almost certainly by accident. You're going to have to code something up
that queries the API.
--
personal:http://www.cameronkaiser.com/--
Cameron Kaiser * Floodgap Systems *www.floodgap.com* ckai...@floodgap.com
-- The faster we go, the rounder we get. -- The Grateful Dead, on relativity
--- Hide quoted text -
- Show quoted text -
Re: Recent Changes To Twitter.com Has Broken My App
Actually, forcing an app to use the API is better for Twitter. You get
the data directly, and the system doesn't spend any time rendering the
HTML. Less data from us = less time tying up server resources.
There's no reason why you can't write a small amount of code to fetch
a user's Tweets and display them in an IFRAME in the same way that
you've described, with your site as the IFRAME's source.
There were few options to defend against clickjacking. Denying IFRAMEs
and preventing authenticated sessions from opening in them (when part
of another page) was our best defense.
-john
On Feb 15, 2009, at 8:18 AM, Shannon Whitley wrote:
I hope Twitter will reconsider these changes. With My Tweeple, I was
able to provide a preview of a user's updates by displaying the page
in an iframe. It was very convenient for the user to review someone's
tweets before deciding to follow someone. It also appears that
Twummize.com no longer works (one of my favorite simple mashups of
Twitter and Twitter Search). Forcing an app to hit the API to
recreate a page that already exists on Twitter.com seems like a bad
thing for Twitter.
On Feb 13, 3:10 pm, Cameron Kaiser spec...@floodgap.com wrote:
Because if the click-jacking incident yesterday it seems you've
added
something like:
//![CDATA[
twttr.form_authenticity_token =
'966f6780e3bb206fe5f451d9ea40407f6532277f';
if (window.top !== window.self) { setTimeout(function()
{document.body.innerHTML='';},1);window.self.onload=function(evt)
{document.body.innerHTML='';};}
//]]
Which I guess fixes the click-jack problem but now our app at
http://topichawk.com/is broken because we use an iFrame in a
harmless
way to display tweets. Is there a process to keep our site from
being
treated like a spammer?
Twitter doesn't support using iframes and anything you had
working before
was almost certainly by accident. You're going to have to code
something up
that queries the API.
--
personal:http://www.cameronkaiser.com/--
Cameron Kaiser * Floodgap Systems *www.floodgap.com*
ckai...@floodgap.com
-- The faster we go, the rounder we get. -- The Grateful Dead, on
relativity --- Hide quoted text -
- Show quoted text -
Re: Recent Changes To Twitter.com Has Broken My App
Supposedly there are a couple of methods of blocking Twitters JavaScript but
I can't find the page anymore. My recollection is they mostly relied on
vulnerabilities in IE... Kind of ironic actually. I would not recommend this
method as it probably could get you banned from Twitter.
On Sun, Feb 15, 2009 at 12:11, John Adams j...@twitter.com wrote:
Actually, forcing an app to use the API is better for Twitter. You get the
data directly, and the system doesn't spend any time rendering the HTML.
Less data from us = less time tying up server resources.
There's no reason why you can't write a small amount of code to fetch a
user's Tweets and display them in an IFRAME in the same way that you've
described, with your site as the IFRAME's source.
There were few options to defend against clickjacking. Denying IFRAMEs and
preventing authenticated sessions from opening in them (when part of another
page) was our best defense.
-john
On Feb 15, 2009, at 8:18 AM, Shannon Whitley wrote:
I hope Twitter will reconsider these changes. With My Tweeple, I was
able to provide a preview of a user's updates by displaying the page
in an iframe. It was very convenient for the user to review someone's
tweets before deciding to follow someone. It also appears that
Twummize.com no longer works (one of my favorite simple mashups of
Twitter and Twitter Search). Forcing an app to hit the API to
recreate a page that already exists on Twitter.com seems like a bad
thing for Twitter.
On Feb 13, 3:10 pm, Cameron Kaiser spec...@floodgap.com wrote:
Because if the click-jacking incident yesterday it seems you've added
something like:
//![CDATA[
twttr.form_authenticity_token =
'966f6780e3bb206fe5f451d9ea40407f6532277f';
if (window.top !== window.self) { setTimeout(function()
{document.body.innerHTML='';},1);window.self.onload=function(evt)
{document.body.innerHTML='';};}
//]]
Which I guess fixes the click-jack problem but now our app at
http://topichawk.com/is broken because we use an iFrame in a harmless
way to display tweets. Is there a process to keep our site from being
treated like a spammer?
Twitter doesn't support using iframes and anything you had working
before
was almost certainly by accident. You're going to have to code something
up
that queries the API.
--
personal:
http://www.cameronkaiser.com/--
Cameron Kaiser * Floodgap Systems *www.floodgap.com*
ckai...@floodgap.com
-- The faster we go, the rounder we get. -- The Grateful Dead, on
relativity --- Hide quoted text -
- Show quoted text -
--
Abraham Williams | http://the.hackerconundrum.com
Web608 | Community Evangelist | http://web608.org
This email is: [ ] blogable [x] ask first [ ] private.
Sent from: Madison Wi United States.
Re: Recent Changes To Twitter.com Has Broken My App
I'm fairly certain we've patched the IE vulnerability, and that it
only affected users on IE6. I'd have to ask our UX team, though.
-j
On Feb 15, 2009, at 12:19 PM, Abraham Williams wrote:
Supposedly there are a couple of methods of blocking Twitters
JavaScript but I can't find the page anymore. My recollection is
they mostly relied on vulnerabilities in IE... Kind of ironic
actually. I would not recommend this method as it probably could get
you banned from Twitter.
On Sun, Feb 15, 2009 at 12:11, John Adams j...@twitter.com wrote:
Actually, forcing an app to use the API is better for Twitter. You
get the data directly, and the system doesn't spend any time
rendering the HTML. Less data from us = less time tying up server
resources.
There's no reason why you can't write a small amount of code to
fetch a user's Tweets and display them in an IFRAME in the same way
that you've described, with your site as the IFRAME's source.
There were few options to defend against clickjacking. Denying
IFRAMEs and preventing authenticated sessions from opening in them
(when part of another page) was our best defense.
-john
On Feb 15, 2009, at 8:18 AM, Shannon Whitley wrote:
I hope Twitter will reconsider these changes. With My Tweeple, I was
able to provide a preview of a user's updates by displaying the page
in an iframe. It was very convenient for the user to review someone's
tweets before deciding to follow someone. It also appears that
Twummize.com no longer works (one of my favorite simple mashups of
Twitter and Twitter Search). Forcing an app to hit the API to
recreate a page that already exists on Twitter.com seems like a bad
thing for Twitter.
On Feb 13, 3:10 pm, Cameron Kaiser spec...@floodgap.com wrote:
Because if the click-jacking incident yesterday it seems you've added
something like:
//![CDATA[
twttr.form_authenticity_token =
'966f6780e3bb206fe5f451d9ea40407f6532277f';
if (window.top !== window.self) { setTimeout(function()
{document.body.innerHTML='';},1);window.self.onload=function(evt)
{document.body.innerHTML='';};}
//]]
Which I guess fixes the click-jack problem but now our app at
http://topichawk.com/is broken because we use an iFrame in a harmless
way to display tweets. Is there a process to keep our site from being
treated like a spammer?
Twitter doesn't support using iframes and anything you had working
before
was almost certainly by accident. You're going to have to code
something up
that queries the API.
--
personal:http://www.cameronkaiser.com/--
Cameron Kaiser * Floodgap Systems *www.floodgap.com*
ckai...@floodgap.com
-- The faster we go, the rounder we get. -- The Grateful Dead, on
relativity --- Hide quoted text -
- Show quoted text -
--
Abraham Williams | http://the.hackerconundrum.com
Web608 | Community Evangelist | http://web608.org
This email is: [ ] blogable [x] ask first [ ] private.
Sent from: Madison Wi United States.
---
John Adams
Twitter Operations
j...@twitter.com
http://twitter.com/netik
Recent Changes To Twitter.com Has Broken My App
Because if the click-jacking incident yesterday it seems you've added
something like:
//![CDATA[
twttr.form_authenticity_token =
'966f6780e3bb206fe5f451d9ea40407f6532277f';
if (window.top !== window.self) { setTimeout(function()
{document.body.innerHTML='';},1);window.self.onload=function(evt)
{document.body.innerHTML='';};}
//]]
Which I guess fixes the click-jack problem but now our app at
http://topichawk.com/ is broken because we use an iFrame in a harmless
way to display tweets. Is there a process to keep our site from being
treated like a spammer?
Thanks!
Michael
