Thanks Raffi for doing this.  Honestly, I really really thank you for
this.  I would love for the Twitter API team to engage with RIA client
providers on establishing open, but secure cross-domain policy files.
I know that since crossdomain.xml isn't a standard, each RIA client
provider is implementing their own.  For Silverlight we have a similar
structure, but one that affords pretty good control from the provider
while still enabling open access to developers.  I would love for you
to consider Silverlight's cross-domain policy for api.twitter.com as
well.  Please feel free to contact me offline and I can provide
details on this and help understand the benefits to Twitter and how
you can best implement the policy.

Thanks again,

-th

Tim Heuer
Microsoft Silverlight

On Nov 7, 9:38 am, Raffi Krikorian <ra...@twitter.com> wrote:
> hi tim.
>
> the crossdomain.xml file is now open an unrestricted to search.  in  
> the future, as part of the migration to api.twitter.com for API  
> endpoints, we may consider relaxing a crossdomain.xml policy on that.
>
>
>
>
>
> > John I'm with others here that this represents a significant change to
> > the operation of the API and has affected numerous applications and
> > samples, etc.
>
> > Frankly I wish Twitter would really understand x-domain policy files
> > better.  If there is a concern around security, then address it and
> > don't allow *user* changes on the API domain root.  I fully understand
> > the reason for x-domain policies as we need them for Silverlight as
> > well -- and appreciate how they help mitigate the attack surface.
>
> > But especially for Search, which is an unauthenticated API it doesn't
> > make sense.  Having twitter segment their API (or provide a different
> > endpoint for RIA clients that has the security risk mitigation in
> > place) seems to make sence.  That's exactly what others (Yahoo,
> > Microsoft, etc.) do -- instead of hanging their API off of the end-
> > user application it is segmented (i.e., yahooapis.com or
> > api.twitter.com) so as to help the security threat surface.
>
> > Twitter doesn't block domains from using the services otherwise and
> > having a x-domain policy in place that is DIFFERENT than what is
> > allowed in the API in general is very confusing to the developer
> > audience.
>
> > Please change the Search API back ASAP as that in the short-term has
> > the greatest negative effect on a lot of applications that relied on
> > it and are now affected TWICE in one week without notification.  Users
> > of the transactional API always knew from the very beginning about the
> > x-domain policy file (even though it, too, went through a change early
> > on), but the Search API hasn't been like this for a long time.
>
> > Consider your developer audience in the short-term while you consider
> > a longer-term solution.  And until then, provide us with a phase-out
> > plan instead of a complete shut-off which negatively affects us and
> > our customers.  I understand Twitter is a free service and such has
> > the typical SLA that comes along with free.  But it has been an
> > invaluable service to your customers and ours --
>
> > I also agree with others that making these announcements BEFORE the
> > changes on status.twitter.com and these lists as well as the official
> > API announce is essential.  There has only been answers on these
> > issues based on questions -- nothing pro-active from your team about
> > the changes or what is going on.
>
> > -th
>
> > On Nov 6, 7:35 am, Marauderz <maraud...@gmail.com> wrote:
> >> John,
>
> >> Even before last week, our Flash apps could always access
> >> search.twitter.com. means that the crossdomain.xml had always allowed
> >> universal access before. So it is NOT the same state that it was last
> >> week.
>
> >> The change in the crossdomain.xml will mean that all the Flash,
> >> Silverlight and any other platform that respects a crossdomain.xml
> >> file are now essentially broken by this change.
>
> >> I understand the concerns for security, but maybe you could then  
> >> think
> >> of setting up another domain for RIA app search use instead then? In
> >> any case, a lot of twitter apps have just been silenced because of
> >> this crossdomain.xml change.
>
> >> On Nov 6, 8:08 am, John Adams <j...@twitter.com> wrote:
>
> >>> On Nov 5, 2009, at 3:32 PM, codewarrior415 wrote:
>
> >>>> OK, the crossdomain policy now only allows your flex application to
> >>>> access the API. You are not allowing flex appication access your  
> >>>> API?
> >>>> How come the change again today. This morning it was working fine.
>
> >>> twitter.com's crossdomain.xml is exactly the same as it was last  
> >>> week,
> >>> it was restored from the original configuration.
>
> >>> The search.twitter.com crossdomain.xml policy was incorrectly set to
> >>> permit from all sites for all actions.
>
> >>> We've configured that to be identical to the twitter.com
> >>> crossdomain.xml to prevent CSRF, session fixation,  and attacks on
> >>> user accounts, which is a major security issue which Facebook and
> >>> Myspace fell to earlier this week.
>
> >>> Could you describe what you are trying to do and we'll research?
>
> >>> -john
>
> --
> Raffi Krikorian
> Twitter Platform Team
> ra...@twitter.com | @raffi

Reply via email to