Don't Cross the Domains!

You may have caught this on the Twitter Development Talk Google Group, but last week we made a change to our crossdomain.xml file.

Previously, we allowed Flash applications hosted anywhere on the web to make requests to the Twitter API. Unfortunately, a proof-of-concept security flaw was demonstrated that would allow malicious Flash applications to make requests on behalf of users logged-in to Twitter. So, for the time being, our crossdomain.xml only allows applications hosted at Twitter domains or other domains approved by our team to talk to our API.

If your Flash app needs to talk to the Twitter API, the primary way around this is to host a proxy to the Twitter API on your domain. Beyond that, we're open to suggestions, and we've been collecting them on the aforementioned Google Group. We don't want to make Flash developers second-class citizens, but we also need to act with our users' security in mind.