Thanks everyone. I didn't have all of the information regarding the clickjacking incidents and only saw the effects of the script changes. I agree that the iframe restriction was the best and easiest thing for Twitter to implement.
On Feb 15, 12:24 pm, John Adams <j...@twitter.com> wrote: > I'm fairly certain we've patched the IE vulnerability, and that it > only affected users on IE6. I'd have to ask our UX team, though. > > -j > > On Feb 15, 2009, at 12:19 PM, Abraham Williams wrote: > > > > > > > Supposedly there are a couple of methods of blocking Twitters > > JavaScript but I can't find the page anymore. My recollection is > > they mostly relied on vulnerabilities in IE... Kind of ironic > > actually. I would not recommend this method as it probably could get > > you banned from Twitter. > > > On Sun, Feb 15, 2009 at 12:11, John Adams <j...@twitter.com> wrote: > > > Actually, forcing an app to use the API is better for Twitter. You > > get the data directly, and the system doesn't spend any time > > rendering the HTML. Less data from us = less time tying up server > > resources. > > > There's no reason why you can't write a small amount of code to > > fetch a user's Tweets and display them in an IFRAME in the same way > > that you've described, with your site as the IFRAME's source. > > > There were few options to defend against clickjacking. Denying > > IFRAMEs and preventing authenticated sessions from opening in them > > (when part of another page) was our best defense. > > > -john > > > On Feb 15, 2009, at 8:18 AM, Shannon Whitley wrote: > > > I hope Twitter will reconsider these changes. With My Tweeple, I was > > able to provide a preview of a user's updates by displaying the page > > in an iframe. It was very convenient for the user to review someone's > > tweets before deciding to follow someone. It also appears that > > Twummize.com no longer works (one of my favorite simple mashups of > > Twitter and Twitter Search). Forcing an app to hit the API to > > recreate a page that already exists on Twitter.com seems like a bad > > thing for Twitter. > > > On Feb 13, 3:10 pm, Cameron Kaiser <spec...@floodgap.com> wrote: > > Because if the click-jacking incident yesterday it seems you've added > > > something like: > > > //<![CDATA[ > > twttr.form_authenticity_token = > > '966f6780e3bb206fe5f451d9ea40407f6532277f'; > > if (window.top !== window.self) { setTimeout(function() > > {document.body.innerHTML='';},1);window.self.onload=function(evt) > > {document.body.innerHTML='';};} > > //]]> > > > Which I guess fixes the click-jack problem but now our app at > >http://topichawk.com/isbroken because we use an iFrame in a harmless > > way to display tweets. Is there a process to keep our site from being > > treated like a spammer? > > > Twitter doesn't support using <iframe>s and anything you had working > > before > > was almost certainly by accident. You're going to have to code > > something up > > that queries the API. > > > -- > > ------------------------------------ > > personal:http://www.cameronkaiser.com/-- > > Cameron Kaiser * Floodgap Systems *www.floodgap.com* > > ckai...@floodgap.com > > -- The faster we go, the rounder we get. -- The Grateful Dead, on > > relativity --- Hide quoted text - > > > - Show quoted text - > > > -- > > Abraham Williams |http://the.hackerconundrum.com > > Web608 | Community Evangelist |http://web608.org > > This email is: [ ] blogable [x] ask first [ ] private. > > Sent from: Madison Wi United States. > > --- > John Adams > Twitter Operations > j...@twitter.comhttp://twitter.com/netik- Hide quoted text - > > - Show quoted text -