I'm fairly certain we've patched the IE vulnerability, and that it
only affected users on IE6. I'd have to ask our UX team, though.
-j
On Feb 15, 2009, at 12:19 PM, Abraham Williams wrote:
Supposedly there are a couple of methods of blocking Twitters
JavaScript but I can't find the page anymore. My recollection is
they mostly relied on vulnerabilities in IE... Kind of ironic
actually. I would not recommend this method as it probably could get
you banned from Twitter.
On Sun, Feb 15, 2009 at 12:11, John Adams <[email protected]> wrote:
Actually, forcing an app to use the API is better for Twitter. You
get the data directly, and the system doesn't spend any time
rendering the HTML. Less data from us = less time tying up server
resources.
There's no reason why you can't write a small amount of code to
fetch a user's Tweets and display them in an IFRAME in the same way
that you've described, with your site as the IFRAME's source.
There were few options to defend against clickjacking. Denying
IFRAMEs and preventing authenticated sessions from opening in them
(when part of another page) was our best defense.
-john
On Feb 15, 2009, at 8:18 AM, Shannon Whitley wrote:
I hope Twitter will reconsider these changes. With My Tweeple, I was
able to provide a preview of a user's updates by displaying the page
in an iframe. It was very convenient for the user to review someone's
tweets before deciding to follow someone. It also appears that
Twummize.com no longer works (one of my favorite simple mashups of
Twitter and Twitter Search). Forcing an app to hit the API to
recreate a page that already exists on Twitter.com seems like a bad
thing for Twitter.
On Feb 13, 3:10 pm, Cameron Kaiser <[email protected]> wrote:
Because if the click-jacking incident yesterday it seems you've added
something like:
//<![CDATA[
twttr.form_authenticity_token =
'966f6780e3bb206fe5f451d9ea40407f6532277f';
if (window.top !== window.self) { setTimeout(function()
{document.body.innerHTML='';},1);window.self.onload=function(evt)
{document.body.innerHTML='';};}
//]]>
Which I guess fixes the click-jack problem but now our app at
http://topichawk.com/is broken because we use an iFrame in a harmless
way to display tweets. Is there a process to keep our site from being
treated like a spammer?
Twitter doesn't support using <iframe>s and anything you had working
before
was almost certainly by accident. You're going to have to code
something up
that queries the API.
--
------------------------------------ personal:http://www.cameronkaiser.com/--
Cameron Kaiser * Floodgap Systems *www.floodgap.com*
[email protected]
-- The faster we go, the rounder we get. -- The Grateful Dead, on
relativity --- Hide quoted text -
- Show quoted text -
--
Abraham Williams | http://the.hackerconundrum.com
Web608 | Community Evangelist | http://web608.org
This email is: [ ] blogable [x] ask first [ ] private.
Sent from: Madison Wi United States.
---
John Adams
Twitter Operations
[email protected]
http://twitter.com/netik
