I agree with Stuart, this might be tricky for client applications that are running behind firewalls / proxies that might remove both header fields, and neither the app author nor the user might have any control over this. Finally, that means you'll lock out those people from using search in their preferred twitter apps.
Marco 2009/6/16 Stuart <stut...@gmail.com> > 2009/6/16 Naveen Kohli <naveenko...@gmail.com> > >> Redefining HTTP spec, eh :-) >> Whatever makes twitter boat float. Lets hope for the best. Just concerned >> that some firewalls or proxies tend to remove "referrer". >> > > What a completely ridiculous thing to say. It's not "redefining" anything. > If Twitter want to require something in order to access their service they > absolutely have that right. It's not like they're saying every HTTP server > should start requiring these headers. > > It's true that some firewalls and proxies remove the referrer header, and > some also remove the user agent header. > > I'm somewhat unclear on exactly how this stuff is supposed to help. If an > application sets out to abuse the system they'll simply set the headers so > they look like a normal browser. I don't see what purpose requiring these > headers to be something useful will actually serve. IMHO you might as well > "require" the source parameter for all API requests that use basic auth > which is simple for all apps to implement; OAuth clearly carries > identification with it already. > > -Stuart > > -- > http://stut.net/projects/twitter > > On Tue, Jun 16, 2009 at 1:05 PM, Stuart <stut...@gmail.com> wrote: >> >>> >>> It's optional in the HTTP spec, but mandatory for the Twitter Search >>> API. I don't see a problem with that. >>> >>> Doug: Presumably the body of the 403 response will contain a suitable >>> descriptive error message in the usual format? >>> >>> -Stuart >>> >>> -- >>> http://stut.net/projects/twitter >>> >>> 2009/6/16 Naveen Kohli <naveenko...@gmail.com>: >>> > Why would you make decision based on "Referrer" which is an OPTIONAL >>> header >>> > field in HTTP protocol? Making decision based on something that is >>> > "REQUIRED" may be more appropriate. >>> > >>> > >>> > On Tue, Jun 16, 2009 at 12:33 PM, Doug Williams <d...@twitter.com> >>> wrote: >>> >> >>> >> Hi all, >>> >> The Search API will begin to require a valid HTTP Referrer, or at the >>> very >>> >> least, a meaningful and unique user agent with each request. Any >>> request not >>> >> including this information will be returned a 403 Forbidden response >>> code by >>> >> our web server. >>> >> >>> >> This change will be effective within the next few days, so please >>> check >>> >> your applications using the Search API and make any necessary code >>> changes. >>> >> >>> >> Thanks, >>> >> Doug >>> > >>> > >>> > >>> > -- >>> > Naveen K Kohli >>> > http://www.netomatix.com >>> > >>> >> >> >> >> -- >> Naveen K Kohli >> http://www.netomatix.com >> > >
