On Tue, Jan 12, 2010 at 11:21 PM, Raffi Krikorian <ra...@twitter.com> wrote: >> If that is the reason for disallowing the source param, why is this >> policy not being applied uniformly? How would users of Tweetie, >> Twitterrific, etc. feel if all their updates now said 'from web'? How >> would the developers of those apps feel? > > those applications have been grandfathered in -- requiring oauth to set the > source parameter applies to newer applications. > -- > Raffi Krikorian > Twitter Platform Team > http://twitter.com/raffi >
Not sure I agree with twitter discission to give the current applications a break, yet force new apps to conform. Come on its been like 6 months, pull the plug already and stop babying these old apps. So new apps should have to deal with the headaches, while these guys get to sit back and relax until things cool down?? Heh. >> the ability to "forge" the source parameter is too easy when simply using >> basic auth. That's a pretty lame excuse. Desktop apps using oauth are just as susceptible to this as basic apps. You must distribute your consumer credentials with the app. A hacker can strip these and use them for forging. So OAuth provides no protection there. Only safety to be had with oauth is with server based apps that can keep their credentials safe. Josh
