Player Card bug


#1

On july 2013 our player cards were approved by Twitter and worked fine for almost 2 years, until last week.

For the last days we have been debugging this issue to find out the exact cause and these are our results:

STEPS TO REPRODUCE

  1. Post http://teveo.com.co/AAMAAAAX on your twitter account
  2. If you are on a PC, refresh the page to see the card
  3. Click the thumbnail to play the video

ACTUAL RESULTS

  1. If you are seeing the card from your PC you will see an empty space
  2. If you are seeing the card from Android or iOS device, the card will work just fine

EXPECTED RESULTS

Player card should be rendered in every platform

CAUSE:

We don’t know why, but since last week, our cards are being placed within an iframe’s sandbox as this line shows:

<iframe frameborder="0" sandbox="allow-popups allow-same-origin allow-scripts" allowtransparency="true" scrolling="no" src="https://teveo.com.co/AAMAAAAX"></iframe>

With this restriction, Flash player will never work because the sandbox attribute "prevent content from using plugins (through embed, object, applet, or other)" according to this W3 article

This restriction is not applied to big players like Youtube, as you can see in theirs cards:

<iframe frameborder="0" allowtransparency="true" scrolling="no" src="https://www.youtube.com/embed/h5l4Rt4Ol7M"></iframe>

#2

I forgot to mention the card works fine in the validator. The validator do not use the sandbox attribute :wink:


#3

My player cards have been working for almost a year, then on March 6th they stopped working. According to Twitter, player cards must be served on SSL (I’m not sure if this has changed or not), but my player cards only work on non-SSL links.

Example:
https://omgtap.co/b/?9ztBwGp - does not show ‘View Media’ on my post (SSL)
http://omgtap.co/b/?9ztBwGp - does not show ‘view Media’ on my post (non-SSL) because it redirects to SSL link.

http://omgtap.co/userfiles/10000/10001/blogs/1427358593_Just_A_Song/ - WORKS (non-SSL and not redirected to SSL connection)

I had to disable the SSL redirect in my .htaccess file and use non-SSL connections to make these work.

Greg


#4

Hi, Greg

It doesn’t matter whether you post the URL in HTTP or HTTPS on twitter. What’s HTTPS mandatory is the markup, specifically the twitter:player tag and yours is fine:

<meta property="twitter:player" content="https://omgtap.co/aud/indexnap.php?bPl7ocI">

I see you’re also being sandboxed.

I’m testing your SSL certificate and it gets an F rating, the worst possible. I don’t know if this might be a problem with twitter cards but it is a security problem for your site. take a look at https://www.ssllabs.com/ssltest/analyze.html?d=omgtap.co


#7

I can confirm this bug on my site and also add that other big players like livestream, ustream, brightcove and ooyala still have their Player Cards intact.


#8

Yes, ing… been there and done that. As stated before, the Player cards worked perfectly for almost a year (even with the F rating)…

It DOES seem to matter if it’s posted SSL vs non-SSL (the links I provided above only prove that).

http://omgtap.co/userfiles/10000/10001/blogs/1427358593_Just_A_Song/ - WORKS
https://omgtap.co/userfiles/10000/10001/blogs/1427358593_Just_A_Song/ - DOES NOT WORK

This is an example of posting the URL in HTTP vs HTTPS and it WORKING vs NOT WORKING.

Thanks!
Greg


#9

Hey, Greg

I see what you mean by works vs doesn’t work. But using the card validator i’m getting an error for your HTTPS URL, specifically: “ERROR: Fetching the page failed because connection is refused.” without solving this issue your card will simply not render in HTTPS.

I had that very same bug 2 days ago with my HTTPS URLs, and just like you, my cards were working fine for more than a year. It seems Twitter made some changes and is getting stricter with the SSL validation now.


#10

Yes, Teveo, there are a handful of people I have seen that the Card Validator doesn’t work on - my site included. If Twitter is making changes and getting stricter with their SSL Validation, they probably should post some information on what to do about it.

I’ve read that they just started whitelisting all cards except for the Player Card (which still needs validated)… My Player cards are validated. Everything worked perfectly until March 6th for me - then the validator started refusing the connection, and the media on the player cards stopped showing up.

Absolutely no changes on my end. I’m just hoping someone at Twitter might see these posts, because the Player Card feature is why I started using Twitter and without that feature, i’m probably history…

Thanks!
Greg


#11

Same problem here, and my domain has an A SSL rating, so I don’t think the problem comes from that side


#12

We are currently in panic mode because of this. We even bought a new domain and applied again for Player Card, but it was rejected because "Your card loads on iOS and Android, but not on desktop"

Our cards works on desktops, obviously, but Flash Player is required.


Player Card rejected
#13

Update:

My server, omgtap.co, now has a “A” rating on the SSL via https://www.ssllabs.com/ssltest/analyze.html?d=omgtap.co and the player cards and validation still do not work on SSL but work on non-SSL.

Greg


#14

Adding to the investigation I’ve just found out there are a lot of sites without this restriction in their Player Cards, not only the big sites like Youtube, Livestream, Ustream or the others already mentioned. One of this ‘small’ sites is heyheyapp.com

Tweeting https://heyheyapp.com/p/gLD.MT?twembed will create a player without the infamous sandbox attribute.

Is there any twitter staff in twittercommunity.com who can answer why we are getting the restriction and others aren’t?


#15

Hi there,

We’re also experiencing the same problem, everything working fine until about a week ago and now the player card just renders a black space instead of the player - but the validator still loads just fine. Our content is also distributed via a secure CDN so the certificate should have a pretty high rating.


#16

Any Twitter staff around? This is getting pretty urgent… any way to avoid having the sandbox tags added automatically? Our player has been whitelisted for a while now, and we have urgent events that requires a working Twittercard coming in a few days…

Thanks!


Video Card
#17

Hi everyone,

I wanted to let you all know that I have made the Cards team aware of this issue and they will investigate. A followup will be posted as soon as I know more.

Related post: Video Card
Tracking internally as PREL-12914


#18

Tim,

I found a temporary workaround for this issue on my site. It might work for you if you have some urgent posts coming up.

If I post a non-SSL url to Twitter, the cards work fine. I haven’t changed anything with the Twitter Player Card meta tags - they still point to secure links. I did have to disable the automatic redirect on my website so that it doesn’t redirect everything back to SSL.

It’s a workaround, but it works on my end… Maybe it will help someone else!

https://omgtap.co/userfiles/10000/10001/blogs/1427358593_Just_A_Song/ - doesn’t produce a card when posted - try tweeting this url within Twitter.

http://omgtap.co/userfiles/10000/10001/blogs/1427358593_Just_A_Song/ - WORKS when posting - try tweeting this url within Twitter.

Strange, but it’s a temporary fix. Hope this helps someone! This problem has been going on for a month for me.

Greg


#19

jbulava,

thank you! someone from Twitter does exist in the forums. it seems like we have been talking to a wall for weeks!

Greg


#20

It’s true, we are in the forums whenever possible! Apologies for your Player Card frustrations while we sort things out.


#21

Thanks Greg, I’ll look into this, but hopefully jbulava will have things sorted out fast? :smiley:

Thanks for taking care of the issue btw!
Tim


#22

The Cards team identified the issue and it has been resolved. I tested a couple of URLs, but please confirm that your Player Cards are now working.