- there should be a very permissive crossdomain.xml file on
   search.twitter.com;
   - the firehose does not host a crossdomain.xml file for its production
   usage; and
   - twitter.com and api.twitter.com have restrictive crossdomain.xml
   files.

to my understanding (but correct me if i'm wrong), it is possible to do some
nasty things regarding cookies between web applications when crossdomain.xml
files get involved.  twitter.com will probably remain to have a restrictive
policy, but we have wanted for a while (but haven't gotten around to it yet)
to do a security audit of api.twitter.com before relaxing the file there.  i
apologise for the inconvenience.

On Mon, Apr 12, 2010 at 5:04 AM, Martin Heidegger <mastakan...@gmail.com>wrote:

> To me this step makes very few sense.
>
> This API is already public - all data served by this api is public -
> flash programmers or not.
>
> Programmers start to create "twitter.api" proxys infrastructure that
> reads data from this api
> and serves just to work around the crossdomain.xml. It is also
> possible to work-around this
> with javascript bridges. With some around-the-corner-thinking most
> flash applications should
> work.
>
> To me this is unnecessary hazzle for a lot of developers that doesn't
> really stop them doing anything
> that they would without this restriction (well - it might reduce the
> responsetime and the quality of their applications).
>
> And for what? To avoid or some temporary load difficulties? This API
> is online/live for more
> than a year now. I hope you reconcider opening it soon.
>
> yours
> Martin.
>
> On Mar 19, 8:53 pm, "Orian Marx (@orian)" <or...@orianmarx.com> wrote:
> > John, thanks for the response. This makes sense.
> >
> > While I do trust that the existingcrossdomain.xml policies were
> > implemented out of a *concern* for user privacy and security, I don't
> > believe they should remain as they currently are, and while the issue
> > has been repeatedly brought to attention in this forum it has never
> > had an official response other than "we're thinking about it". I think
> > a lot of Flash developers have been very patient with Twitter in this
> > regard. Keep in mind we're not talking about some particular service
> > call on an API being unavailable, but rather the entire non-search
> > Twitter API.
> >
> > Twitter has addressed security concerns very well through OAuth. There
> > is really no reason Flash apps should be restricted if they are making
> > OAuth calls to the new api.twitter.com endpoints. For other
> > discussions of this please seehttp://
> groups.google.com/group/twitter-development-talk/browse_frm/th...
> > andhttp://
> groups.google.com/group/twitter-development-talk/browse_frm/th...
> >
> > -Orian
> >
> > On Mar 19, 2:17 pm, John Kalucki <j...@twitter.com> wrote:
> >
> > > Currently the Streaming API is primarily intended for service to
> service
> > > integrations, and we've provisioned stream.twitter.com as such. We've
> also
> > > opened it up for all sorts of open-ended experimentation as well.
> However,
> > > we've asked large-scale deployments, such desktop apps and widgets, to
> hold
> > > off on releasing products against the Streaming API until we can
> provide a
> > > few more features (oAuth, etc.), provide sufficient capacity, and fully
> > > isolate desktop traffic from integration traffic.
> >
> > > A single Hosebird process can pump out a lot of data. A cluster of them
> is a
> > > bit like a bull in a china shop. We want to avoid a success catastrophe
> > > where a set of popular clients releases all at once and inadvertently
> > > overwhelms the service and potentially knocks integrations and/or
> > > non-trivial slice of www traffic offline. This would be bad for
> everyone,
> > > including open experimental access. So, among a dozen other disabled
> > > features,crossdomain.xml is also off on stream.twitter.com.
> >
> > > We're working on this right now. Please have patience.
> >
> > > Thecrossdomain.xml policy on other endpoints is the doing of others,
> and I
> > > don't remember all the details. Please trust that the policies chosen
> were
> > > made with user privacy and user security as the primary concerns.
> >
> > > -John Kaluckihttp://twitter.com/jkalucki
> > > Infrastructure, Twitter Inc.
> >
> > > On Fri, Mar 19, 2010 at 8:55 AM, Orian Marx (@orian) <
> or...@orianmarx.com>wrote:
> >
> > > > Am I interpreting this correct as saying "out of capacity concern
> > > > we're currently blocking Flash developers"? Thecrossdomain.xml issue
> > > > has been extremely frustrating across all of Twitter's service
> > > > endpoints and if I'm interpreting this post correctly this just adds
> > > > to a series of poor choices Twitter has made in regard to Flash
> > > > developers in my opinion. If this service needs to be limited for
> > > > capacity reasons it should be limited in the same way regardless of
> > > > what technology you are using to make requests of the API.
> >
> > > > -Orian Marx
> > > > Flex Developer
> >
> > > > On Mar 17, 1:50 pm, John Kalucki <j...@twitter.com> wrote:
> > > > > It's in the code, but turned off out of an abundance of caution for
> > > > capacity
> > > > > reasons. Given our current plans, it's going to be a little while
> longer
> > > > > before we can turn this on.
> >
> > > > > -John Kaluckihttp://twitter.com/jkalucki
> > > > > Infrastructure, Twitter Inc.
> >
> > > > > On Wed, Mar 17, 2010 at 10:29 AM, TarGz <julien.ter...@gmail.com>
> wrote:
> > > > > > hi,
> >
> > > > > > I have prevriuosly work on twittearth.com and now I work a
> project
> > > > > > that use the stream API.
> > > > > > The stream API work very well, it is very responsive and
> powerfull and
> > > > > > help me build a realtime geolocated search tool...
> >
> > > > > > The bad sing is that my Flash app only work offline because of
> the lak
> > > > > > ofcrossdomain.xml
> >
> > > > > > Did you have plan to put ahttp://
> sream.twitter.com/crossdomain.xml
> > > > > > file live soon ? because I love to share my tools with the world.
> >
> > > > > > Thank per advance for your answer(s)
> >
> > > > > > Looking forward for your reply
> >
> > > > To unsubscribe from this group, send email to
> twitter-development-talk+
> > > > unsubscribegooglegroups.com or reply to this email with the words
> "REMOVE
> > > > ME" as the subject.
>
>
> --
> To unsubscribe, reply using "remove me" as the subject.
>



-- 
Raffi Krikorian
Twitter Platform Team
http://twitter.com/raffi

Reply via email to