

Twitter effectively killing JSONP too - dansingerman
http://blog.dansingerman.com/post/31052497029/twitter-effectively-killing-jsonp-too

======
mootothemax
This doesn't mean killing JSONP dead, it just means that you'll need a server-
side script to generate oauth-authenticated URLs first.

This is what I do in one application right now, and it works really well,
meaning that for the calls in question, the rate limit applies to the user's
IP and not our server's.

~~~
dansingerman
I've thought about that sort of approach. Can you describe in a bit more
detail how you do that, especially how you ensure it is secure?

~~~
przemoc
It's not a strict answer, and I'm not the one being asked, but about doing
"that" while having at least JSON alone, you can proxy the queries and wrap
answers by yourself. E.g. in nginx you can use HttpEchoModule:

<http://wiki.nginx.org/HttpEchoModule>

[http://www.gabrielweinberg.com/blog/2011/07/nginx-json-
hacks...](http://www.gabrielweinberg.com/blog/2011/07/nginx-json-hacks.html)

------
mcherm
The lesson is not "do not build on someone else's platform", but "be careful
whose platform you build on". There have been signs for quite some time now
that twitter was not particularly supportive of things built on them.

~~~
hpaavola
Is there any way to know if one party is more reliable than other? Four years
back, was there any way to know that Twitter would limit their APIs and change
their terms and conditions the way they have done? If not, isn't the lesson
here "do not build on someone else's platform"?

~~~
reinhardt
Either that, or "sell your company within four years".

------
mmahemoff
They "sunsetted" @Anywhere so they can focus on embedded tweets, a more
focused attempt to provide badges/widgets for browsers. So really I doubt they
want browser apps calling their API directly, but rather to use their embed
timelines.

I realise that's a tiny subset of what's possible with the JSONP API, but
that's my guess about why they won't support JSONP.

And, if they do shut it down, it sucks. I've run <http://listoftweets.com> for
several years and made various other Twitter mashups using their JSONP API.

------
zachalexander
I'm wondering (a) if people are going to switch to screen scraping as a way to
avoid the new API restrictions, and (b) how much Twitter could do to thwart
such attempts.

My (uneducated) guess is that it might play out like other DRM wars. Twitter
could come up with new ways to scramble their HTML/CSS/JS to make it harder to
automatically scrape... until scrapers evolved to deciper the new patterns, ad
infinitum.

~~~
ConstantineXVI
If they're willing to flip off search engines and do all page rendering in JS,
there's no limit to what they could do to make a scraper's life hell.

It'd be relatively simple to generate non-sensible fonts (where code points
don't map as expected) where the browser still renders legible tweets but
scrapers get unintelligible gibberish. The special font would essentially be a
one-time pad, generate new font mappings every few requests and your HTML is
essentially uncrackable to scrapers that don't have the horsepower to OCR
every tweet (at which point you may as well pay for Gnip anyway).

~~~
chimeracoder
True, but it would be much simpler to hack the Twitter native applications to
do the dirty work for you, depending on your purposes.

That, or just use the oauth_secret from the official Twitter applications;
those were cracked ages ago, and even if they changed them (thereby breaking
all their old applications), they're super-easy to crack again.

~~~
ConstantineXVI
Hardening the webpage would still decimate the amount of people with the
skill/motivation to pry out tweets. HTML scraping is much more accessible than
poking around native, source-less apps. (And if it was still a problem, the
same tactics as above would work equally well in native apps.)

------
posabsolute
They will be killing a lot of third party plugin too, a good example would be
the wordpress plugins, a lot of them use the jsonp stuff.

Seems weird to mee, but hey, anything to make money in the end I guess

------
kemayo
Well, goodbye twitter widgets on lots of websites, I guess. (deviantART does a
JSONP widget on user pages, lots of wordpress plugins do it, etc...)

~~~
gavinlynch
Somehow I feel we're really not losing that much.....

------
missing_cipher
Does this mean that
"[http://api.twitter.com/1/statuses/user_timeline/<user...](http://api.twitter.com/1/statuses/user_timeline/<user>.json)
will be deprecated? Or is this talking about authentication?

~~~
mike-cardwell
They deprecated RSS the other day. Even if that's not deprecated yet, you
should assume it will be at some point. They seem to be slowly removing access
to everything.

------
Tichy
Do all calls to the Twitter API require authentication now? It used to be that
some calls (like search) did not require authentication, and I would assume
those would still work with JSONP?

~~~
dansingerman
Nope, all REST calls now require authentication:
[https://dev.twitter.com/docs/api/1.1/overview#Authentication...](https://dev.twitter.com/docs/api/1.1/overview#Authentication_required_on_all_endpoints)
(and search is now formally part of the REST API as of v1.1)

------
dreamdu5t
Good. JSONP is stupid anyway.

~~~
bittermang
Care to elaborate, or are you just baselessly venting against acronyms?

