If the User-Agent/Referrer says "Twitpay", and it's really me, when Twitter contacts me, I'll answer, and we'll work it out. If the User-Agent/Referrer says "Twitpay", and it's *not* really me, when Twitter contacts me, I'll tell them, and they'll block the IP.
It's a starting point for figuring things out, not an authorization scheme. -- ivey On Tue, Jun 16, 2009 at 2:39 PM, Stuart <stut...@gmail.com> wrote: > 2009/6/16 Naveen Kohli <naveenko...@gmail.com> > >> Redefining HTTP spec, eh :-) >> Whatever makes twitter boat float. Lets hope for the best. Just concerned >> that some firewalls or proxies tend to remove "referrer". >> > > What a completely ridiculous thing to say. It's not "redefining" anything. > If Twitter want to require something in order to access their service they > absolutely have that right. It's not like they're saying every HTTP server > should start requiring these headers. > > It's true that some firewalls and proxies remove the referrer header, and > some also remove the user agent header. > > I'm somewhat unclear on exactly how this stuff is supposed to help. If an > application sets out to abuse the system they'll simply set the headers so > they look like a normal browser. I don't see what purpose requiring these > headers to be something useful will actually serve. IMHO you might as well > "require" the source parameter for all API requests that use basic auth > which is simple for all apps to implement; OAuth clearly carries > identification with it already. > > -Stuart > > -- > http://stut.net/projects/twitter > > On Tue, Jun 16, 2009 at 1:05 PM, Stuart <stut...@gmail.com> wrote: >> >>> >>> It's optional in the HTTP spec, but mandatory for the Twitter Search >>> API. I don't see a problem with that. >>> >>> Doug: Presumably the body of the 403 response will contain a suitable >>> descriptive error message in the usual format? >>> >>> -Stuart >>> >>> -- >>> http://stut.net/projects/twitter >>> >>> 2009/6/16 Naveen Kohli <naveenko...@gmail.com>: >>> > Why would you make decision based on "Referrer" which is an OPTIONAL >>> header >>> > field in HTTP protocol? Making decision based on something that is >>> > "REQUIRED" may be more appropriate. >>> > >>> > >>> > On Tue, Jun 16, 2009 at 12:33 PM, Doug Williams <d...@twitter.com> >>> wrote: >>> >> >>> >> Hi all, >>> >> The Search API will begin to require a valid HTTP Referrer, or at the >>> very >>> >> least, a meaningful and unique user agent with each request. Any >>> request not >>> >> including this information will be returned a 403 Forbidden response >>> code by >>> >> our web server. >>> >> >>> >> This change will be effective within the next few days, so please >>> check >>> >> your applications using the Search API and make any necessary code >>> changes. >>> >> >>> >> Thanks, >>> >> Doug >>> > >>> > >>> > >>> > -- >>> > Naveen K Kohli >>> > http://www.netomatix.com >>> > >>> >> >> >> >> -- >> Naveen K Kohli >> http://www.netomatix.com >> > >
