Is there a way to make sure HTTP_REFERER is not set?
todd
I've been using GAE to make Twitter calls. In the last few days my
Twitter API calls started failing with this
error:
403 Forbidden: The server understood the request, but is refusing to
fulfill it. If you are posting from an API tool please ensure that the
HTTP_REFERER header is not set.
To my knowledge I'm not setting referer (code appended). My code
has been working for a long time after Twitter required HTTP_REFERER
header to not be set.
Has anything changed on the GAE side? The code works from the test web
server but fails when published into the cloud.
Any thoughts on what might be happening or what I can do about it?
thanx
class SendChime(webapp.RequestHandler):
def get(self):
self.response.headers['Content-Type'] = 'text/plain'
username = self.request.get("username")
logging.debug("Sending chime for user=" + username)
login = username;
password = password
chime = self.get_chime()
payload= {'status' : chime,
'source' : "innertwitter"}
payload= urllib.urlencode(payload)
base64string = base64.encodestring('%s:%s' % (login, password))
[:-1]
headers = {'Authorization': "Basic %s" % base64string}
url = "http://twitter.com/statuses/update.xml"
result = urlfetch.fetch(url, payload=payload,
method=urlfetch.POST, headers=headers)
self.response.out.write(result.content)
todd
said to be one of the headers you can't change. That means you can't
post to Twitter from GAE.
James Strachan
2008/6/6 todd <t...@possibility.com>:
--
James
-------
http://macstrac.blogspot.com/
Open Source Integration
http://open.iona.com
joh...@easypublisher.com
/Johan
--
Johan Carlsson
Colliberty Easy Publisher
http://www.easypublisher.com
joh...@easypublisher.com
> On Apr 9, 2007, at 2:12 PM, rag wrote:
> "Sorry, due to abusive behaviour, we have been forced to disable
> posting from external websites. If you are posting from an API tool,
> please ensure that the HTTP_REFERER header is not set."
So it seems like your not allowed to post to twitter from external web sites.
Looking at urlfetch.py, I'm wondering if it would be possible to
override the fetch
function (e.g. roll your own) and intercept the request after it's
been generated
from urlfetch_service_pb.URLFetchRequest(), assuming it is URLFetchRequest()
that addes the unwanted headers. (Just a wild idea, if you try it let me know).
/Johan
James Strachan
>
> To answer my own question:
>
>> On Apr 9, 2007, at 2:12 PM, rag wrote:
>> "Sorry, due to abusive behaviour, we have been forced to disable
>> posting from external websites. If you are posting from an API tool,
>> please ensure that the HTTP_REFERER header is not set."
>
> So it seems like your not allowed to post to twitter from external web sites.
You can - you just can't set the HTTP_REFERER. i.e. any request with
it set is blocked.
> Looking at urlfetch.py, I'm wondering if it would be possible to
> override the fetch
> function (e.g. roll your own) and intercept the request after it's
> been generated
> from urlfetch_service_pb.URLFetchRequest(), assuming it is URLFetchRequest()
> that addes the unwanted headers. (Just a wild idea, if you try it let me know).
urlfetch isn't setting the referer header AFAIK - its a separate proxy
doing that.
FWIW here's the twitter thread about this mandatory no referer header
policy - AFAIK its some security issue that made them add this
restriction.
http://groups.google.com/group/twitter-development-talk/browse_thread/thread/5576e58b88af7b82/1440d1216719b2bb#1440d1216719b2bb
James Strachan
According to this thread...
http://groups.google.com/group/twitter-development-talk/browse_thread/thread/ebf637d1ea971247/bb8c1c9c23901ecb?lnk=gst&q=referer#bb8c1c9c23901ecb
it might be that setting Referer to a string that starts with
"app-resource:/" we might be able to post to twitter from app engine.
I wonder is there some secret ninja header we could set to avoid the
appengine http proxy zapping the Referer header and shoving in the
"http://*.appspot.com/ value?
It'd be very handy to be able to post to twitter from app engine!
Ryan W
various APIs working, including twitter, only to discover this in
production (twitter works fine with the local SDK). Maybe another
intermediary service/client can make the call to twitter cleanly and
we can have urlfetch call that intermediary.
On Jun 10, 4:31 am, "James Strachan" <james.strac...@gmail.com> wrote:
> 2008/6/7 James Strachan <james.strac...@gmail.com>:
>
>
> > 2008/6/7 <joh...@easypublisher.com>:
>
> >> To answer my own question:
>
> >>> On Apr 9, 2007, at 2:12 PM, rag wrote:
> >>> "Sorry, due to abusive behaviour, we have been forced to disable
> >>> posting from external websites. If you are posting from an API tool,
> >>> please ensure that the HTTP_REFERER header is not set."
>
> >> So it seems like your not allowed to post to twitter from external web sites.
>
> > You can - you just can't set the HTTP_REFERER. i.e. any request with
> > it set is blocked.
>
> >> Looking at urlfetch.py, I'm wondering if it would be possible to
> >> override the fetch
> >> function (e.g. roll your own) and intercept the request after it's
> >> been generated
> >> from urlfetch_service_pb.URLFetchRequest(), assuming it is URLFetchRequest()
> >> that addes the unwanted headers. (Just a wild idea, if you try it let me know).
>
> > urlfetch isn't setting the referer header AFAIK - its a separate proxy
> > doing that.
>
> > FWIW here's the twitter thread about this mandatory no referer header
> > policy - AFAIK its some security issue that made them add this
> > restriction.
>
> According to this thread...http://groups.google.com/group/twitter-development-talk/browse_thread...
Ryan W
http://groups.google.com/group/twitter-development-talk/browse_thread/thread/5576e58b88af7b82
James Strachan
On Jul 9, 4:55 pm, Ryan W <rwilli...@gmail.com> wrote:
> Looks like Twitter may remove this restriction:
>
> On Jul 8, 11:23 pm, Ryan W <rwilli...@gmail.com> wrote:
>
> > Wow, this is a real bummer, a night's work wasted after getting
> > various APIs working, including twitter, only to discover this in
> > production (twitter works fine with the local SDK). Maybe another
> > intermediary service/client can make the call to twitter cleanly and
> > we can have urlfetch call that intermediary.
>
> > On Jun 10, 4:31 am, "James Strachan" <james.strac...@gmail.com> wrote:
>
> > > 2008/6/7 James Strachan <james.strac...@gmail.com>:
>
> > > > 2008/6/7 <joh...@easypublisher.com>:
>
> > > >> To answer my own question:
>
> > > >>> On Apr 9, 2007, at 2:12 PM, rag wrote:
> > > >>> "Sorry, due to abusive behaviour, we have been forced to disable
> > > >>> posting from external websites. If you are posting from an API tool,
> > > >>> please ensure that the HTTP_REFERER header is not set."
>
> > > >> So it seems like your not allowed to post to twitter from external web sites.
>
> > > > You can - you just can't set the HTTP_REFERER. i.e. any request with
> > > > it set is blocked.
>
> > > >> Looking at urlfetch.py, I'm wondering if it would be possible to
> > > >> override the fetch
> > > >> function (e.g. roll your own) and intercept the request after it's
> > > >> been generated
> > > >> from urlfetch_service_pb.URLFetchRequest(), assuming it is URLFetchRequest()
> > > >> that addes the unwanted headers. (Just a wild idea, if you try it let me know).
>
>
> > > > FWIW here's the twitter thread about this mandatory norefererheader
> > > > policy - AFAIK its some security issue that made them add this
> > > > restriction.
> > > >http://groups.google.com/group/twitter-development-talk/browse_thread...
>
> > > According to this thread...http://groups.google.com/group/twitter-development-talk/browse_thread...
>
> > > I wonder is there some secret ninja header we could set to avoid the
Jorge Vargas
because given it's cloud nature the must be proxing the requests to
their servers.
As for twitter this restriction is probably in place so they don't get
floddded with spammers using open proxies.