I didn't alert the list because we wanted to observe the behavior of
some of our Flash assets after the change, and so the current contents
of crossdomain.xml are not yet concrete. If anyone has suggestions
for a crossdomain.xml that's both secure and useful to Flash
developers, please let the list know.
On Sun, Mar 9, 2008 at 5:52 AM, <kr...@neuroproductions.be> wrote:
>
>
> I fixed my app, by getting the data via php on my own domain, but the
> core problem remains
>
--
Alex Payne
http://twitter.com/al3x
Yup, and it neutered Twitter Karma, which relied on the permissive
crossdomain.xml that twitter.com was publishing. :-)
Oh well, I guess that's the end of using Flash for making Twitter API
requests ... for anyone other than Twitter, of course.
-- Dossy
--
Dossy Shiobara | do...@panoptic.com | http://dossy.org/
Panoptic Computer Network | http://panoptic.com/
"He realized the fastest way to change is to laugh at your own
folly -- then you can let go and quickly move on." (p. 70)
The great thing about Twitter Karma was that users' ID and passwords
never touched my server--all communication was directly between the
end-user's browser and twitter.com's servers.
I don't use many Twitter "tools" because I don't hand out my own auth.
credentials to third parties, so I wanted to make Twitter Karma a tool
that I would feel comfortable using if someone _else_ had implemented
it.
Proxying requests through my servers will naturally "work" but I
wouldn't want to send my auth. credentials through some third-party
server, therefore I don't like asking other users to do it.
> @Alex,Twitter: Can't you use an other domain for the API, just like
> the yahoo and google APIs ? at least check how they do it. with the
> key and stuff. Anyway, I hope it gets fixed :)
Me too.
We're not trying to shut down Flash developers, just trying to protect
our users' security.
--
Alex Payne
http://twitter.com/al3x
1. Move the Twitter API to api.twitter.com. Use the completely
permissive crossdomain.xml on api.twitter.com.
2. Stop supporting HTTP Basic auth. on api.twitter.com. Implement OAuth
or some other kind of auth. token system.
3. Require non-public API requests to include a valid user auth. token.
--
Alex Payne
http://twitter.com/al3x
Despite all the disadvantages of HTTP Basic, shutting it down completely
without a transition period will break a lot of applications.
--
------------------------------------ personal: http://www.cameronkaiser.com/ --
Cameron Kaiser * Floodgap Systems * www.floodgap.com * cka...@floodgap.com
-- Why did the chicken cross the Moebius strip? To get to the other ... uh ...
Never mind -- I read this as twitter.com, not api.twitter.com.
--
------------------------------------ personal: http://www.cameronkaiser.com/ --
Cameron Kaiser * Floodgap Systems * www.floodgap.com * cka...@floodgap.com
-- "I would blame Microsoft even if it *weren't* their fault." -- me ----------
You have to drop HTTP Basic auth--that is exactly where the security
issue arises from. Once the browser captures the auth. credentials
from the user, it always sends them, thus allowing third-party sites to
generate requests in the browser, via Flash, as the user, which can be
used for malicious purposes.
True. The choices are: keep things the way they are and lock out
third-party developers from using Flash or force them to go through a
proxy; OR, make the changes I mentioned.
It sounds like Alex is hinting that they're opting to do the latter, not
the former. We'll see.
If you mean completely remove HTTP Basic Auth from the entire API
specification and make OAuth the only method, though, I would *not* support
that. That would break too many clients, and there are lots of one-off
scripts that use the easy method of passing auth headers (including over
SSL).
--
------------------------------------ personal: http://www.cameronkaiser.com/ --
Cameron Kaiser * Floodgap Systems * www.floodgap.com * cka...@floodgap.com
-- PowerPC inside! ------------------------------------------------------------
There are other choices, but none of them involve allowing HTTP Basic
auth. That is precisely the core of the security issue. SSL wouldn't
help here, either.
--
Alex Payne
http://twitter.com/al3x
We're not going to remove Basic Auth from the Twitter API without a
very, very long grace period and plenty of conversations with this
group.
--
Alex Payne
http://twitter.com/al3x
<?xml version="1.0" encoding="UTF-8"?>
<hash>
<request>/notifications/follow/[username].xml</request>
<error>There was a problem following the specified user.</error>
</hash>
Is this a rate limit issue? Something else?