This change impacts the following API methods:
- /statuses/friends_timeline
- /statuses/user_timeline
- /statuses/show
- /statuses/update
- /statuses/destroy
- /statuses/replies
- /statuses/friends
- /statuses/followers
- /users/show
- /direct_messages
- /direct_messages/sent
- /direct_messages/new
- /direct_messages/destroy
- /friendships/create
- /friendships/destroy
- /account/update_location
- /account/update_delivery_device
- /account_rate_limit_status
- /favorites
- /favorites/create
- /favorites/destroy
- /notifications/follow
- /notifications/leave
- /blocks/create
- /blocks/destroy
Yes, that's most of the methods in the Twitter API. Very few of our
methods are guaranteed never to return the details or status of a
"protected" (private) user. Only methods like
/statuses/public_timeline are safe for user-defined callbacks.
Regarding the other, more obscure JSON security issue discussed in the
aforementioned thread: we'll be changing the structure of JSON
responses to be a Hash in the next major revision of the API to avoid
the Array-overloading vulnerability in older versions of Firefox.
This change is too broad-reaching to accomplish at the same API
endpoints, and we have a major update the API in the works anyway.
Please help spread the word to any other developers you know who make
use of callbacks with their JSON-formatted Twitter API responses.
Thanks much!
[1] http://groups.google.com/group/twitter-development-talk/browse_thread/thread/1f81d8278ed62c3b#
--
Alex Payne - API Lead, Twitter, Inc.
http://twitter.com/al3x
--
Well, it's going away anyway, so why that would affect users that
don't know what a callback is? If they don't know, they're probably
not using it anyway.
--
Julio Biason <julio....@gmail.com>
Twitter: http://twitter.com/juliobiason
We'll document the use of callbacks.
We'll still be allowing callbacks for all Search API results, as all
of that data is public.
--
Does that clear it up?
On Fri, Oct 24, 2008 at 9:19 AM, spice3d <spi...@gmail.com> wrote:
>
> Tomorrow is D-Day. I hope everyone is prepared...
>
--