Thanks everyone. I didn't have all of the information regarding the
clickjacking incidents and only saw the effects of the script
changes. I agree that the iframe restriction was the best and easiest
thing for Twitter to implement.
On Feb 15, 12:24 pm, John Adams <j...@twitter.com> wrote:
> I'm fairly certain we've patched the IE vulnerability, and that it
> only affected users on IE6. I'd have to ask our UX team, though.
>
> -j
>
> On Feb 15, 2009, at 12:19 PM, Abraham Williams wrote:
>
>
>
>
>
> > Supposedly there are a couple of methods of blocking Twitters
> > JavaScript but I can't find the page anymore. My recollection is
> > they mostly relied on vulnerabilities in IE... Kind of ironic
> > actually. I would not recommend this method as it probably could get
> > you banned from Twitter.
>
> > On Sun, Feb 15, 2009 at 12:11, John Adams <j...@twitter.com> wrote:
>
> > Actually, forcing an app to use the API is better for Twitter. You
> > get the data directly, and the system doesn't spend any time
> > rendering the HTML. Less data from us = less time tying up server
> > resources.
>
> > There's no reason why you can't write a small amount of code to
> > fetch a user's Tweets and display them in an IFRAME in the same way
> > that you've described, with your site as the IFRAME's source.
>
> > There were few options to defend against clickjacking. Denying
> > IFRAMEs and preventing authenticated sessions from opening in them
> > (when part of another page) was our best defense.
>
> > -john
>
> > On Feb 15, 2009, at 8:18 AM, Shannon Whitley wrote:
>
> > I hope Twitter will reconsider these changes. With My Tweeple, I was
> > able to provide a preview of a user's updates by displaying the page
> > in an iframe. It was very convenient for the user to review someone's
> > tweets before deciding to follow someone. It also appears that
> > Twummize.com no longer works (one of my favorite simple mashups of
> > Twitter and Twitter Search). Forcing an app to hit the API to
> > recreate a page that already exists on Twitter.com seems like a bad
> > thing for Twitter.
>
> > On Feb 13, 3:10 pm, Cameron Kaiser <spec...@floodgap.com> wrote:
> > Because if the click-jacking incident yesterday it seems you've added
>
> > something like:
>
> > //<![CDATA[
> > twttr.form_authenticity_token =
> > '966f6780e3bb206fe5f451d9ea40407f6532277f';
> > if (window.top !== window.self) { setTimeout(function()
> > {document.body.innerHTML='';},1);window.self.onload=function(evt)
> > {document.body.innerHTML='';};}
> > //]]>
>
> > Which I guess fixes the click-jack problem but now our app at
> >http://topichawk.com/isbroken because we use an iFrame in a harmless
> > way to display tweets. Is there a process to keep our site from being
> > treated like a spammer?
>
> > Twitter doesn't support using <iframe>s and anything you had working
> > before
> > was almost certainly by accident. You're going to have to code
> > something up
> > that queries the API.
>
> > --
> > ------------------------------------
> > personal:http://www.cameronkaiser.com/--
> > Cameron Kaiser * Floodgap Systems *www.floodgap.com*
> > ckai...@floodgap.com
> > -- The faster we go, the rounder we get. -- The Grateful Dead, on
> > relativity --- Hide quoted text -
>
> > - Show quoted text -
>
> > --
> > Abraham Williams |http://the.hackerconundrum.com
> > Web608 | Community Evangelist |http://web608.org
> > This email is: [ ] blogable [x] ask first [ ] private.
> > Sent from: Madison Wi United States.
>
> ---
> John Adams
> Twitter Operations
> j...@twitter.comhttp://twitter.com/netik- Hide quoted text -
>
> - Show quoted text -
