New Twitter widget script seems to unexpected redirect behaviour

sankalp_sans · 2017-09-14T12:13:53.254Z

As a crude way of rendering tweets in our content on Android app, we use Android Webview along with our text (HTML with twitter markup), and manually injected Twitter widgets script at the end of each such Webview.

This seemed to work file until today. We confirmed that a rollout of new script had started today (14th September, 2017). Because of this, whenever we would open a page on the app, the script seems to call the URL data://platform.twitter.com/widgets/twitter_cookies.html?namespace=twttr%3Acookies&origin=null every single time.

It looks like this is being done for some kind of user tracking, but this unexpected behaviour has our Webview redirecting all our users to browsers with this URL in address bar.

Wondering what would the Twitter devs would suggest to resolve this.

Link to a script instance: https://gist.github.com/sankalpsans/0cbcc7ae1e11ff9aefd1c973102a4fcb#file-twitter-script-js

rogercaplan · 2017-09-14T13:44:34.038Z

do you happen to have a diff of whatever js code changed on twitter’s end?

btw the problem occurs on other platforms too, e.g. iOS - it’s caused by the twitter js code using the parent document’s origin to make requests to platform.twitter.com, so anything other than https:// will fail.

andypiper · 2017-09-14T14:54:17.064Z

Thanks for the reports of this issue. Our team is investigating. We appreciate your patience.

andypiper · 2017-09-14T15:44:52.777Z

Update: the change has been rolled back - be aware that there may be a short delay as CDNs and caches are refreshed, but if you’re able to re-test and see if this is still an issue, that would be great.

Thank you for the report, and for your patience.

aodhol · 2017-09-14T15:47:58.049Z

Same issue here on iOS. There’s an attempt to load twitter_cookies.html from the filesystem using file:// presumably because the URI is protocol relative. Should specifying dnt = true have had any effect on this?

andypiper · 2017-09-14T16:10:20.497Z

This should have been rolled back - please retry shortly once the CDNs have refreshed. It was unrelated to dnt=true.

mannymon · 2017-09-14T16:30:43.844Z

This seems to have resolved the issue on our end. Thanks!

FWIW, I think this was the source of the issue for us…

from what i can tell, that method would look something like this before minification, munging…

may just be a matter of adding a guard here?

in any case, we’d love to know once you’ve decided to re-release those changes… any chance you could update this thread once that happens?

andypiper · 2017-09-14T16:34:44.245Z

Thanks for the feedback! I’ll share with the engineering team.

lananelson · 2017-09-15T19:55:30.782Z

Hi all

Thank you for your reports of the Twitter for Websites issue.
I wanted to update this thread to let you know that we have re-released our changes with a fix for non-http protocols.

mannymon · 2017-09-18T14:42:59.763Z

Thanks for the prompt response!

Artem · 2017-09-28T07:42:40.266Z

Hello,
We are still witnessing almost the exact same problem - when loading https://platform.twitter.com/widgets.js
from the IOS webview, the app opens the browser to
https://platform.twitter.com/widgets/twitter_cookies.html?namespace=twttr:cookies&origin=<our site url>
And after closing the browser, on the page we can only see the unformatted “Tweet” link.

However everything works fine when using the desktop browser, or an Android webview. Only reproducible through IOS webview. Any clues ?

MrDaneeyul · 2018-04-27T14:51:25.528Z

We’re having the same issue as @Artem in a Xamarin Forms project. In the iOS WebView, the Twitter widget on our web page opens the browser to Twitter rather than displaying inline on the page. Any chance of this being looked into further or the issue being reopened? Thanks!