Crossdomain policy
44 views
Skip to first unread message
torontocitylife
Aug 31, 2009, 2:35:37 PM8/31/09
to Twitter Development Talk
Does anyone know what's going on with Twitter's crossdomain policy
file? I read -- over a year and a half ago -- that they were
temporarily blocking broad access because of security holes. The
crossdomain file still reads:
<?xml version="1.0" encoding="UTF-8"?>
<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-
instance" xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/
schemas/PolicyFile.xsd">
<allow-access-from domain="twitter.com" />
<allow-access-from domain="api.twitter.com" />
<allow-access-from domain="search.twitter.com" />
<allow-access-from domain="static.twitter.com" />
<site-control permitted-cross-domain-policies="master-only"/>
<allow-http-request-headers-from domain="*.twitter.com" headers="*"
secure="true"/>
</cross-domain-policy>
...which means Twitter is disallowing access from anything other than
the twitter.com domain, meaning no access to any web-based apps
without a server-side proxy workaround. Wasn't this supposed to be
temporary? And why even have a web-based API if they're still, a year
and a half later, actively disallowing connections to it?
file? I read -- over a year and a half ago -- that they were
temporarily blocking broad access because of security holes. The
crossdomain file still reads:
<?xml version="1.0" encoding="UTF-8"?>
<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-
instance" xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/
schemas/PolicyFile.xsd">
<allow-access-from domain="twitter.com" />
<allow-access-from domain="api.twitter.com" />
<allow-access-from domain="search.twitter.com" />
<allow-access-from domain="static.twitter.com" />
<site-control permitted-cross-domain-policies="master-only"/>
<allow-http-request-headers-from domain="*.twitter.com" headers="*"
secure="true"/>
</cross-domain-policy>
...which means Twitter is disallowing access from anything other than
the twitter.com domain, meaning no access to any web-based apps
without a server-side proxy workaround. Wasn't this supposed to be
temporary? And why even have a web-based API if they're still, a year
and a half later, actively disallowing connections to it?
Chad Etzel
Sep 4, 2009, 1:18:54 AM9/4/09
to twitter-deve...@googlegroups.com
Hello,
Our cross domain policy file is intentionally setup to exclude any and
all 3rd party websites. This is a permanent decision. The only way to
work around this is to setup a server-side proxy.
Thanks,
-Chad
Reply all
Reply to author
Forward
0 new messages