You don't need to use Twitter's JS to show Tweets. If you choose to use their system, you're subject to their rules. If you don't like their rules, don't use their stuff.
Calling it "altering the public record" is a little hyperbolic imo. If you want to act as a repository for the public record, you better use your own system. Twitter is under no obligation to retain this kind of stuff on your behalf.
I'm not trying to say that this is right or wrong, just that these are the facts of the matter when you engage with a company's code and terms of service.
> Twitter is under no obligation to retain this kind of stuff on your behalf.
They declared something worked one way then silently changed how that thing works without properly announcing the change first and giving people enough time to adapt. Would you still be willing to make these excuses if your emails provider decided to do the same thing?
Even if it's their system, there's a limit where people would rightfully start to object.
If my email provider started doing something I don't like, shame on me for not saving a copy of my mail. Unless I'm explicitly paying them to keep a copy, which I'm pretty sure nobody using Twitter is doing, then they get to set the rules. And if I don't like the rules, I don't have to use the system, just like I wouldn't use a mail provider that deleted my mail without my action.
An email provider (which you most likely pay for - and don't publish on a website) is very different to a social media site (that you don't pay for and want it out in the public)
It's a free service that they provide - why can they not change how their system works when they want? People can object whenever they want - but it doesn't change the fact that they don't have any 'rights' to show someone elses content via a 3rd party on their website.
Maybe if you paid to embed tweets? Sure ok, they changed the contract - so deal with that.
Is it a bit annoying if you use it? Probably. Is it bad that the docs are out of date? Ok.
Twitter doesn't have any responsibility to you as someone who wants to quote someone else via their platform.
I disagree. Twitter doesn't own that content. Someone posting the Twitter JS on their website to allow Twitter to format the tweet to Twitter's brand standards and allow a link to drive traffic back to Twitter is a favour that they're doing Twitter. They should respect that favour by not changing the contract unilaterally.
Yea, I don't think people are embedding tweets on their sites to do Twitter a favour ... it's because they want to reference something and part of the TOS says to use it.
The TOS on quoting someone? You're saying that if I want to quote something someone says on Twitter in my book or in a newspaper, I have to follow their TOS and style it their way? No, I think not. Applying Twitter's styling to quotes is a nicety. It's nice for the blogger that it looks good on a blog and it's nice for Twitter that they get a link back and their branding guidelines get followed, but there's no way Twitter is going to be able to enforce their TOS on quoting something that someone else said just because it was said on their platform.
You rightly point out the ridiculous claim, noting people don't use embeds as a favour to twitter - and then make the ten times more ridiculous claim that people are using embeds because of the TOS.
At least try and hide the fact you're being bad faith if you're going to engage like this.
But, you as the website operator don’t own that content either? Certainly I have some level of expectation that if I delete something, it may very well actually be gone, right? And further, that Twitter taking steps to do exactly that in places they control is reasonable?
> Certainly I have some level of expectation that if I delete something, it may very well actually be gone, right?
Really? For me this is like saying that just because you stop actively publishing a book, people can never quote it again. That's clearly not true, right?
Edit: or because I didn't distribute recordings of a speech I made, newspapers can't quote me
But I am not, nor do I aspire to be, a public figure. For notable people, and most certainly politicians, I might tend to agree with you, but not for the general case.
Unfortunately, it doesn't really matter if you disagree. They own the platform, and they can operate it how they please. There's no "changing of the contract" here. Their TOS certainly don't guarantee anything at all in exchange for website owners embedding tweets in this way. Any theoretical moral argument is kind of irrelevant.
You, and many in these comments, seem to be conflating twitter’s legal rights with their informal social obligations. No one is saying this is illegal behavior by Twitter. Some are saying it’s very annoying of them to go back on their established policies and break thousands of websites.
I totally agree it's annoying, and at odds with what we would hope for their social obligations. So sure, shame on them.
But also, we could not actually expect anything different. The capitalist/corporate environment in which we operate will systematically compel these companies to choose profits over social obligations. They are accountable to their customers (advertisers), and so whatever moral transgressions we people on the street may perceive -- they don't really play into Twitter's decision-making...
> But also, we could not actually expect anything different. The capitalist/corporate environment in which we operate will systematically compel these companies to choose profits over social obligations.
This is a very poor argument. It does not necessarily follow that profit seeking results in this outcome, in fact it could easily be the opposite case, and so your assertion has no footing.
The "Would you still be willing to make these excuses if your emails provider decided to do the same thing?" statement I was replying to was a bit weak as weak :)
But in the case of not paying for your email, then that is also on you to acknowledge there is a set of terms, and you can adhere or not. I certainly wouldn't expect a free service to owe me anything.
Right. And I don’t have a responsibility to not kick up a fuss. So I’m going to kick up a fuss and hopefully people will want to use their APIs and SDKs a teensy bit less.
"If you want to act as a repository for the public record, you better use your own system."
I deliberately chose Twitter's JavaScript because I inspected the design of how it worked and saw that they had deliberately built it in a way that would respect my preferences for how deletion should be handled.
They've changed that on me - without even announcing the change. This is a rug-pull.
Now I have to replace their code with my own implementation, and they've hurt my trust.
Naive at best, honestly. Twitter from their very beginning has screwed over developers who used their platform. So have many of the other companies in their cohort.
This is such a HN take. 99% of the people, even the ones who copy embed links, don't even know what js is. This is a problem for everyone, not just literally you and I.
I don't know why you are (half) working off the presumption anyone cares about the post-hoc desire of the author.
This isn't tricky at all imo.
Just as if I pasted the text directly, I expect my copying of the content to have the same lifetime as the page I put it on. This is irrespective of anybody's wishes after the fact.
Nobody has the expectation that the text would disappear from my page if copied directly - so why should behavior change in any other case?
The original author of the tweet also has the intent. An unfortunate side effect of having a voice, is that sometimes people will listen and make notes.
Not necessarily. The example VOX article[1] had Trump's tweets embedded in the article, which are now hidden. Trump didn't delete those tweets. He was banned.
>There are many more cases of deletions than banned ones, let's not think of the exception as the rule
But that isn't the exception. Banned users tend to be the ones that have some level of public interest, as evidenced by the VOX quote.
>And the blog author still has the text as well
That's right and maybe in some way this new policy accidentally leads to good things, in that it may incentive sites that embed Twitter's content on their page, to simply bypass that.
It is entertaining to watch the waves of opinion crash against each other when things happen that people don't like. The cognitive dissonance must must a deafening roar. On one hand, people get miffed when twitter changes their JS to block out quotes of deleted tweets, citing an alteration of the public record. On the other hand, people argue that twitter is not a "public square" and can do what they want with the content and users of their platform.
I feel a frequent problem in tech discussion is that the problem is greatly exaggerated, often to levels which are out of scope or come across as unreasonable demands. It has some similarities to Godwin's law.
The follow-up discussion then unfortunately is not so much about the grievance or problem, but about the needless hyperbole.
In the end, because the problem no longer feels reasonable or relatable, it seems more like the author has an axe to grind.
There's too many examples to cite, but one could follow any discussion that surrounds a change made by large tech company to find numerous examples.
I have a hard time believing there isn't much crossover between those who want to punt opinions from a mainstream platform and those who want to nail someone down for a comment they made forever
Right seems like people are confusing very different points of view: they can do it and they should do it. It’s like reviewing a murder case and seeing arguments talking past each other, one side saying “He was allowed to shoot his gun” and the other saying “He shouldn’t have shot his gun.” The arguments aren’t even on the same level and aren’t mutually exclusive. Both could be true, and the responses just ignore the others point completely.
There's always a few that posts like this. Yes Twitter has a legal right to do stuff like this but can YOU separate what Twitter is legally allowed to do from what is the right thing to do? What's wrong with criticizing a particular policy from a corporate behemoth?
If they want to change this, they can have a new version of the widgets script that makes it clear that it will edit your site, and switch to that in future embed links from the site. Changing the existing one is leaving holes all over the web. Buzzfeed is decimated.
> I'm not trying to say that this is right or wrong
Why are you not, though? I feel like we have been so co-opted by the system that we forgot we are allowed to criticize it. A giant company with billions of dollars should not be given get out of moral jail free cards. They should absolutely be held to higher standards because of all the power they wield.
> I agree with this: Banking on what’s nothing more than a handshake is a bad call.
But shouldn't we be striving for a world where it isn't a bad call? Reputation used to mean something, I have read about it in old books. That was back when choice was a thing. Digg got destroyed in a matter of weeks because they did something users didn't like. Now Facebook is openly contributing to destroying democracy and all they get is one bad financial year. These things are way too big and wield way too much power.
And, with all due and undue respect, statements like yours are part of the problem. I don't know what your intent was, but you come off as defending twitter on this as there was no written contract. While everyone is equal under codified law, we shouldn't forget some people have more influence than others over what gets codified.
> But shouldn't we be striving for a world where it isn't a bad call? Reputation used to mean something,
Reputation isn’t proof. It also carries no context.
If the service is very meaningful to you, then why wouldn’t you want a legal contract?
> I don't know what your intent was, but you come off as defending twitter on this as there was no written contract. While everyone is equal under codified law, we shouldn't forget some people have more influence than others over what gets codified.
Case and point of reputation. You assume I’m defending Twitter, because you can’t imagine that I can agree that it’s a scummy move while also pointing out that it’s bad practice to rely on a company’s word.
As for my intent?
I’m annoyed, dealing with like-minded individuals and engineers.
Having to teach engineers that coding and behavioral contracts get broken, and so code must be written defensively; in a world where pushing out features and adoption is “impact” is quite the uphill battle.
It just took a couple of decades for businesses to realize that “free” has some severe hidden costs.
And appealing on social media hoping to get attention, in a world where there’s too much information and noise?
I think this is a little unexpected though since "you" are still hosting the text of the tweet on your site and publishing it to your visitors but also with a Twitter script that hides it.
Doesn't that mean it should be pretty easy to automate converting all your "deleted" embedded Tweets to a local rendering, albeit without the integration back to Twitter?
I agreed with this several years ago, but I’m not sure any more. Software networks are very different than other things humans have had in the past. They are inherently winner take all and give the owner/creator unprecedented power over users that creators in past generations could only have dreamed of. I wonder if software companies should have some restrictions to make up for this
I see so many people here arguing that by embedding javascript directly from Twitter, you are accepting whatever they choose to make that javascript do. While that is true to an extent, Twitter has provided documentation for this javascript that says that if the Tweet gets deleted, the javascript will simply stop styling your quote of the tweet that you have on your website.
By changing the behavior of the javascript, without even updating the documentation, Twitter has broken every rule of being a good distributor of third-party code. In a similar vein, any third party code could at any time do any number of malicious things. Just because I didn't pay Twitter for the privilege of running their code and just because I embedded their code in my website does not make it okay for them to start distributing malware to modify my website to their liking.
There are lots of other malicious things Twitter could have the javascript do. Twitter could start showing ads before and after all quoted tweets. This would also conflict with the documentation and would be malicious.
"Twitter has broken every rule of being a good distributor of third-party code." Yes, and you've broken every rule of common sense by thinking that their goals are your goals and they have any interest in being a 'good' anything besides profitable. You are embedding code from a a money making bot. To expect them to host deleted tweets forever as some public record is absurd.
Okay, but they’re not “hosting” anything (other than the script). They could take down the server with that script on it and the markup would show up fine. If Twitter went out of business tomorrow, all these tweets would magically show up again. But no, they’re going out of their way to break your webpage. That is absurd.
You are using content from twitter on your page and then using a script from twitter to format the content, right? You've seeded control on how it's displayed. They changed their mind on how to format the content. You are responsible for your page no one else.
This is kinda like asking someone who just got robbed “Why did you leave your door open? You’re responsible for your home no one else.” That’s true, but it’s still not okay to rob people!
Functionality aside embedding random scripts from twitter seems like a big risk for security and privacy.
At a minimum, it should probably be embedded in a sandboxed iframe.
Just taking a screenshot, and linking to the tweet, seems like a more robust solution, that won't randomly stop working, and doesn't have the same privacy issues.
"Functionality aside embedding random scripts from twitter seems like a big risk for security and privacy."
When I started blogging again, I wanted to render my Twitter feed on the homepage, as a sort of bitesize alternative to the regular content, but I too have a deep aversion to allowing external scripts on my websites. So I added some code to my Hugo theme that pulls the tweets from my profile via the Twitter API and renders them statically.
This is still "vulnerable", in a way (though not the same kind of vulnerability as embedding third-party scripts): if Twitter disappears—or just stops returning your tweets for some other reason (e.g. they shut down their API or your account)—then you lose access to your content. It can be mitigated by making sure your SSG output is also in version control—not just the input. (While you're at it, it's a good idea to make sure your SSG is version controlled, too. That doesn't have to be a whole copy of the SSG source and/or binary in your repo; it can be e.g. its version string.)
That of course still leaves open the matter of whether/how you're making sure to trigger a new build for every new tweet.
For me, all I cared about was not loading their script. I'm not at all attached to my tweets, so I'm not really willing to put any effort into preserving them for posterity.
> That of course still leaves open the matter of whether/how you're making sure to trigger a new build for every new tweet.
Back when I was applying for my first career position, one of the companies asked for a demo project, with one of the options being something that could poke at the Twitter API.
It was pretty darn simple to get the text of a tweet, and just apply some styles to it. If one was motivated, making something to replace Twitter's version of embedding would not be very difficult.
Sure, but these problems were anticipated in the design of, certainly later, HTML specs. One example: the ALT text tag for images, which has been part of the spec since at least HTML4, originally published as a recommendation in 1997.
Every image on your website(s) should have ALT text to be screenreader friendly and, if it doesn't, that's on you: it doesn't make using images an inherently bad or accessibility-unfriendly idea.
The unstyled blockquote is probably enough, without pulling down the JS to embed twitter's marketing, tracking, and whatever else they might be observing.
Is it necessary for a quoted tweet to look exactly like it came from Twitter when the text and a link serves an identical purpose?
That said, if someone wants to delete a tweet or otherwise correct the record, are you prepared to issue a correction of your own when quoting a tweet? The internet is particularly unforgiving when it comes to this.
<portal> is an experiment/pet project pushed (and only implemented!) by one browser vendor, which as far as I know remains feature flagged.
It was shipped behind a flag with an initial implementation vulnerable to a same origin policy bypass as well as local file disclosure. As far as I can tell the only reason it wasn't assigned a Moz standards position of "harmful" is because Google argued "it's actually still a work in progress!" (three years ago).
The behavior of the object element is to use its child nodes as fallback content in the event that the resource cannot be loaded, similar to the the treatment of images' alt attributes for images that fail to load. This isn't to say that this protects against a determined adversary (who might then chose not to return HTTP 404/410 and instead HTTP 200), but the mechanism is there.
iframe is loading a whole page with script permissions (and sandboxed). it seems there isnt any tag for adding a remote snippet of html, like you can do with ajax
What do you mean by "remote snippet of html"? An iframe loads whatever's on the other end of the src URL. If that's a "whole page", then it loads a whole page. If it's just a "snippet" of content, then it loads that. Any snippet you think of can be loaded by iframe exactly as described. The only hitch, really, is that it's always treated as block-level content instead of CSS-style "inline" flow-level content, but that's clearly not relevant to the use case at hand—embedded tweets are already block-level.
It's not clear what you're asking for. (E.g. do you want that snippet not to be sandboxed?)
iframe is a full page. i mean some HTML code, a div or some text or a table etc. the kind of things we load with Ajax. The equivalent of <img>, but for HTML content : <remotehtml src="https://twitter.com/snip/12345678" />
This isn't really any clearer than your earlier comment.
> iframe is a full page.
An iframe loads whatever you give it. If you give it a URL to a "full page"/"whole page", then it loads that. If the URL leads to e.g. "a div" or "a table", then that will be loaded. That's under the control of the person who's putting stuff on the other end of the URL. To repeat, there is exactly one case where this doesn't hold up: when you want the loaded content to be inline and not block-level (e.g. "some text"—and if inline content is what you meant, then you should say that instead of just giving another vague response; again, though, even if that is what you want, how would that be relevant to the use case we're talking about here: embedding tweets?)
it doesnt inherit style etc. it s also a completely different document for scripting purposes. it s also rather heavy, hard to have 100 iframes in a page
it s just an idea not a proposal. it would be sandboxed, the idea is to allow html only, so as to avoid scripting. don't we do that all the time with ajax?
Totally agree. I wonder if this is by-design. Lots of companies would love to have control of a javascript snippet operating on the worlds biggest websites.
> Just taking a screenshot, and linking to the tweet, seems like a more robust solution, that won't randomly stop working, and doesn't have the same privacy issues.
How long until people realize sites like Twitter are actively hostile, and embedding their scripts is equivalent to letting the Trojan horse through your gates?
The privacy tradeoff is not Twitter's to make. The content was copied - while still available - and placed on another website. Twitter's responsibility is to serve or not serve content. If it cannot serve the content requested, for instance because that content was deleted, then they should not continue to alter the non-Twitter webpage.
Of course, the real problem is that the site administrator is allowing Twitter to run arbitrary code on their website. I have much to say on that topic, alas, it is the choir reading HN and they don't need me to preach.
Say if someone envokes a right to be forgotten on Twitter and it complies by deleting all tweets by said person (I’m imagining this is how it works) is it twitters responsibility or the website that embedded twitter’s tweet to ensure that it’s deleted? In my mind it’s Twitter since it comes from them no ?
Consider it from the context of a "right to be forgotten" though. Setting aside whether that should be a legal right, there's certainly some kind of argument that if the right-to-be-forgotten is at some level a moral good, then technologies that assist in enforcing that right have at least some level of moral justification in doing so. Does that override the rights of a website operator to expect that their tools will not erase their content? Perhaps, perhaps not - but it is indeed a tradeoff.
Even if the right to be forgotten is a moral good, it is not (and should not be) an absolute right trumping other rights such as freedom of expression (also a moral good). Twitter can decide to stop hosting the content you published on there, either at your request or at their discretion (e.g. banning your account), but forcefully removing content from another operator's website is overreaching, it is simply not their call to make.
I think we need to look at this more like grading on a curve.
If I were still actively using Twitter and posting something that I later delete - OK. I can see the argument from a 'right to be forgotten' point of view. If the president of the US does so to beautify the public record, not so much.
In Germany we have the concept of a person of public interest. People who are publicly visible due to their position in politics, media, entertainment or because they try to have their face seen by any camera lens available, need to "endure" more public/media scrutiny than Jane Doe from next door.
The problem is, that this can only be decided (in a conflict) by due process in a court of law.
So Twitter deciding to use privacy as an argument to enable a few reported on whales to beautify their record (because let's be fair, who embedded a tweet from Jane Doe?) seems at least questionable.
> So Twitter deciding to use privacy as an argument to enable a few reported on whales to beautify their record (because let's be fair, who embedded a tweet from Jane Doe?) seems at least questionable.
It's not just a few whales. Imagine you're being arrested, someone films that arrest while the cops are speaking your PII (name, address) into their radios, and the video of the arrest ends up on Twitter.
Under "right to be forgotten", you could (and can) demand removal of that video - but your data would still be floating around the net.
Is it still just your website if you rely on Twitter integration to style certain portions of it and populate it with content (or at very least add metadata of said content)? Seems more of a collaborative effort.
Why not just copy paste or screenshot the Tweet? It's bizarre to reference a script from twitter.com directly in your site's source code and then complain that the script is doing exactly what it is supposed to.
- copy paste the content of the tweet - meta data is lost (date and time, author, obv it is possible to copy paste the text and add links to original tweet and link to an author;
- screenshot - now you dont have to add custom styles, meta data exists, but it is not usable - you can make is to click on tweet will open a tweet, but click on tweet author will open authors profile. Also screenreaders and bots - they dont parse text from images and it is harder to make images work on smaller screens.
The solution is not as simple as - ctrl+c ctrl+v text or screenshot and call it a day.
You need to consider that content will be interactive (all links should work) and accessible (for screenreaders and mobile).
___
So it is understandable why low effort approach with embedded scripts, but less secure is more popular than high effort most likely not completely working, but more secure approach.
The better way would be to use twitter api and render tweets with your own styles. Safe, accessible, interactive.
Great point on accessibility, a guarantee of screen reader support is a benefit that would be lost with screenshots or text without the correct semantics.
I think that's an impossible problem to solve for the general case. To guarantee correct rendering, you very well need to push the site through the entire rendering/js pipeline.
Aesthetics and familiarity? It's a lot nicer to link the user's name directly to their profile, and the date directly to their tweet on Twitter as opposed to having a separately link or whatnot. For many, especially your average Joe/Jane, will expect the aforementioned behaviour.
Well if you want Twitter's aesthetics then you have to import their CSS/JS and let them "edit your site". Or recreate all of it yourself. What solution are people looking for exactly?
Posting the screenshot of the tweet as a link to the tweet doesn't seem like an awful solution to me. Additionally if the tweet gets deleted or the user gets banned there is still some record of it and the page doesn't have a weird gap where a tweet should be.
The problem here is that you are erasing history. Imagine someone going into the town square and yelling something profane. That can never be unheard, people will never forget. There will be record of it. Twitter is the only authority that can validate that a tweet actually happened. All other archival services can be considered questionable and easily manipulated (albeit unlikely).
Because if it's just a screenshot or your own copy/paste, I have no reason to believe it's real. The only hint of authenticity is that it's served from twitter.com. The fact that there's no way to prove a tweet even happened after it was deleted or account banned seems like a problem to me.
We as human beings should always strive for the better, to improve, to do the best we can within reasonable bounds.
It's imo not about pettiness, finding errors of others to shame them, or holding others to a bar set too high, but rather, if we don't, we start tumbling towards lesser good things as a society and community and humans.
Not to say that it's not ok do make errors (it is, and it's human), but if we spot one and can easily correct it, we should.
Non-standard doesn't mean improper. It's still valid English. Just because some people are too lazy to type or comprehend an apostrophe in the word "it's" to signify "it is" doesn't mean that the rest of us have to follow their lazy example.
In which case, it's still wrong in the title. Just because people are too lazy to scroll up and read the erroneous title doesn't mean nit picking pedantry makes them correct.
Yeah, I took up a cause that I was passionate about a little too quickly there, and realized that I was fighting for the wrong "it's". It's past my bedtime here...
But how will marketing determine the effectiveness of their efforts if I don't "just add a single line of code" for every social media company to our website? </sarcasm>
It is even worse than that. Google nowadays still uses this argument telling you that only this way they can optimize your ad placement towards Conversions.
While at the same time telling you (in their documentation) that due to script blockers and gdpr they just estimate (using more fancy terms and talking about ML & AI) the Conversions they report (and use for optimization).
They basically tell you: Trust us - we estimate your success in the best of your interest. As if they were a neutral party in that equation.
True, npm packages are a risk. However, I think that there is a big difference between using npm packages and loading javascript from a third–party domain: with an npm package, you can inspect the source. If you don’t like what you see, you can avoid the package. I’m sure that most developers fail to do so, and just blindly trust that the package will do what it says and nothing else, but at least the opportunity is there. If you load javascript from a third–party domain you lose that opportunity, and all hope of keeping your website secure and your visitors privacy intact.
Oh, this is the missing piece! It seems I'm blocking Twitter's JS if it's not on their site. I didn't even realise and I was confused about what the author meant as I could clearly see the tweet on their site.
I was so confused when the article said "See? If I embed this tweet, you can't see it" but it was there to me (since Twitter JS is blocked by at least two extensions in my browser). Thank you for pointing that out!
It's a shame there's no better way to preserve a tweet than taking a screenshot -- there's no way to prove that an individual said something, save for perhaps trusting the record on archive.org
It doesn't have to be this way. Either the individual or the platform could cryptographically sign content to prove that it really happened. I guess Twitter would prefer a plausible deniability. If anyone screenshots you saying something you regret, you can just say it was forged.
I've never had my name dragged through the mud on twitter or anything but I'm super glad knowing that if I do make a mistake I can delete it rather than having it immortalised on the internet to be used as a weapon against me forever.
The blockquote is still inside the page and indexed by search engines. While many will get a blank preview, it is still immortalized on the internet and visible if you block Social Tracking / Twitter's widget.js.
Twitter itself can always prove an individual user said something. I assume they never actually delete any tweet from their system, so a proper law enforcement request can require them to verify that a particular tweet actually did originate from a handle at such and such a time & IP.
Isn't this the way the internet is supposed to work? If I link to a page and the page is removed, it'll not show, right? Same thing if I were to add that page as an iframe on my site.
So, IMHO, the title and the post doesn't make any sense. Twitter isn't editing anyone's site. You have chosen to embed some content of Twitter on yours and it is perfectly fine if they chose to remove it.
If you link to a page, whatever text you put in as the body of the link will remain. The link itself won't go anywhere, but the content you have added to it will remain. In this case, it's as if the link text also vanished when the target page vanishes.
That would be an interesting solution to link rot, admittedly - lots of older pages which are just empty lists formerly containing links to now defunct websites!
Right, but it was not added as an iframe, it was added with the actual content along with the script. So it's kind of like the iframe reaching out and deleting the surrounding conversation about that link once the page goes offline, if iframes could do such a thing.
> Isn't this the way the internet is supposed to work? If I link to a page and the page is removed, it'll not show, right? Same thing if I were to add that page as an iframe on my site.
hmm. Personally i think when u delete a tweet, you should not be able to embed it. If you changed your mind about a tweet, you should be able to decouple it from your account. If people want to refer to tweets, how about a screenshot? It's safer, faster and cant 404 when twitter is down.
And i think the whole "they edited my page" statement is ridiculous. You EMBED a part of twitter into your page. You know it can change. If you embed a youtube video, and the owner deletes it, it wont play anymore. obviously.
True of course, you pretty much hand them the key to your house to do as they please. I remember defunct banner ad services redirecting all pages with banners on them.
The problem is real tho. You casually publish 1-3 things per day. After 20 years you have many thousands of pages that slowly rot away. You could monitor them and delete the articles but that doesn't always work. A tweet and a 5 second video in the middle of a lengthy article don't render the article useless. It becomes something like old paper publications citing lists of unobtainable things.
Read the post - previously deleted tweets showed the blockquote fallback. Now they get a useless injected blank iframe, removing the blockquote from the dom.
> Malware (a portmanteau for malicious software) is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive users access to information or which unknowingly interferes with the user's computer security and privacy.
This script distributed by twitter is software intentionally designed to cause a disruption to a server and to deprive users access to information.
Well, any third-party script that you embed on your website can edit your site and do many other nefarious things (key logging, credential stealing, ...). I never got how people can just copy/paste some random JS into their own websites (often without even using integrity tags). Social embeds in particular have turned the web into a surveillance machine for large corporations, as every FB/Twitter/Instagram/... embed tracks users across every web property that has such an embed, and until very recently almost every major website had such embeds.
Luckily GDPR seems to have a chilling effect on recklessly embedding such stuff without thinking about privacy or security implications. Personally I hope that in a few years third-party embeds will mostly be a thing of the past.
We used to have this concept in software engineering, called
"coupling". Dependency or independence of each module greatly
determines the quality and reliability of the overall system.
Generally, too much coupling is bad. But you can also use
inappropriate coupling, where even a little is bad. This is an
example of inappropriate "external control coupling" (where js code is
being chenged remotely - am I wrong?) arising where light
data coupling (where data only is pulled in) is required.
The "web" has been going to hell in this way for a decade at least,
because it ceased to have boundaries. Without boundaries there cannot
be responsibility. Widespread introduction of JavaScript created a
quite different kind of technology from the WWW in which concepts of
client-browser and document-server made any sense.
Minus any reliability/security it can't be considered safe for
delivery of important materials now. If even the site owner can't
trust what you see on a site that's bad (though as people point out,
we've had this even since banner ads) But it's why I think the future
of critical "information services" (as opposed to e-commerce / social
media) is on something like Gemini.
You have to have some level of trust - our ASP.net website loads quite a few Nuget packages we regularly keep up to date. Theoretically any of them say Stripe or Paypal could add nefarious code into our site to steal a bunch of stuff - there's no practical way for us to review the source code before updating.
For Javascript if you're paranoid you can add the `integrity` attribute, and most of the time you can self host the JS although all of these come with maintenance commitments.
I think it's reasonable if you trust the source (Twitter for example) to embed their third party code.
The difference is that you have a contractual relationship with Stripe or Paypal when you use their services. When you embed FB/Twitter/... content there's no such relationship, that's the issue.
OK bad examples, but any open source project you use via a package manager in your projects you have to trust and there's no contract or relationship there.
Yes but bundling packages via npm is not an issue either, it's the fact that third-party embeds transfer personal data to the third party whenever a user visits the website, that is the central issue.
Don't like the "Twitter Edits You" title of the article. Sensationalist/misleading.
Tweet embeds are a live link to the Twitter system to show a tweet. To show the actual tweet from the Twitter platform. If the tweet doesn't exist, there's nothing to show. No one said it should maintain some kind of 'copy' of old data on your site.
Apologies I understand more clearly that it is rewriting/overwriting the blockquote now. But that is the javascript hiding the blockquote, it's not "gone". It's still in the html, still visible to scanners and bots (and those with no javascript and perhaps also screenreaders for the a11y folks). Javascript/CSS hides alllll kinds of stuff on the web alllll the time to make pages look/format a certain way.
They're not entirely right, but they're not wrong either. You're running their javascript to power the embed, and so they gave the response "respecting user's deletion".
I am not particularly upset by this. You choose to embed JavaScript that interoperates with your website to make tweets look like Twitter … Twitter has decided that deleted tweets look like nothing now … that’s what you wanted.
Apparently the “contract” that Twitter would preserve the text of a deleted tweet was a tweet from some random employee.
This seems to me like an improvement for systems that don't have blockquotes in their embedding source (previously the behavior was that if there was no HTML inside the embedding element there was no fallback at all and it was just an empty element) that was an accidental regression.
I hope they add a simple check if the element has children or not to fix the regression, but I work on an app where some sort of fallback UI for deleted Tweets is a welcome change, even if "blank Tweet card" isn't a huge improvement, it's still a small win to get some hard-to-fix-on-our-side UI complaints off the backlog.
Disclaimer: I'm not a web developer nor a journalist/blogger, whatever.
My non-expert, likely useless, take on this:
Don't use Twitter's technology. If you're interested in quoting a tweet to create a public take a screenshot, copy of the text, quote it and provide a link. Simple.
If part of your post links, or portals, to another site you don't control it's not part of your blog/post/site. Complaining when remote content changes is pointless. You're not capturing what was when you link to remote content managed by someone else you're capturing something live, it's not a public record. It isn't quoting anything.
The key is that they're not linking remote content – they copied the content of the tweets into their websites' code, and then used Twitter's JS to render it. I.e., it used to be a purely stylistic change.
All of a sudden, this very inert code has changed, without warning, to actually edit any websites using it to delete the text that they put there. I think many would consider this malware-adjacent, if it wasn't from such a large company.
Implicitly, when you quote a tweet you are agreeing to a contract of adhesion (basically a shrink wrap license or "by using this site you agree to our terms"). Twitter even told people that the quoted text would remain.
Now site ToS usually say that they can change the terms whenever they want. But that's going forward: something you wrote in the past should be under the contemporaneous terms.
So I wonder if someone could successfully sue under California law. If successful, it would be a great improvement to consumer rights.
> That widgets.js script looks for blockquotes with the class="twitter-tweet" on, and replaces them with a Twitter branded iframe to confirm that it is a real tweet
And that's how most libraries work? I don't see an issue. Yes, if you delete the tweet it seems they changed the behaviour (and that might be an actual bug) but still...
How are you supposed to prove the tweet actually happened if you just post a screenshot? It's trivial to forge a screenshot of a tweet to say whatever you want.
It's presumably trivial to forge Twitter's "verified" embedding as well, so that doesn't prove anything. (Just have it link to a deleted tweet - plausible deniability!)
If it still exists, just add a link to it underneath the screenshot. If it was deleted, then there's not much you can do, but that's no different than if you had embedded it.
Why do you people even use Twitter? It's one giant pile of crappy content and dark ux patterns. What did you expect? That they'd play nice forever? Are you really new to this? Did your preschool not have a sandbox?
This is so stupid on twitter's part. It's obviously easy for publishers to work around by including both the blockquote of the tweet (unadorned), plus the version w/ the twitter embed class.
This is why I never use these iframe widgets. They are not only useless and untrustworthy, they are also damn slow. I take a screenshot of the tweet I want to reference, put it into a bucket behind a CDN and then embed an <img> of the tweet inside an <a> which links back to the tweet. If the tweet gets deleted then the link will break and users will see that the tweet was deleted, but my screenshot stored on my own servers will remain forever and my website will continue to make sense.
Own your data, own your blogs, own your words, own what you create/write/do on the web. Don't rely on third party services uphold a common sense contract or what most people would expect is the ethical/correct/good thing to do.
Unless you commit and are convicted of an actual crime with your tweet, nothing - absolutely nothing - should result in a blanket ban or deletion of your post. And no, insulting the embedded bloodsuckers that hold congress (and our lives) in an iron grip is not a crime.
We need to go back to the days when sticks and stones broke bones; when words were correctly not "violence" and that your right to not be insulted existed solely in that self-important (but empty) cavern between your ears.
I can only predict how much worse will the twitter get now that people will be able to edit whatever dumb shit they write in order to avoid backlash and retcon events.
Public service means government run. A newspaper isn't a public service (in the US), but official notices can and do appear there. Even if no one reads the newspaper anymore. Same thing with private broadcasters like CNN, Fox News, etc. Public service has a specific definition.
why dont you just remove the javascript so they appear as blockquotes? seems a bit dramatic. dont think i would expect twitter to show deleted tweets in the first place, id probably just use a screenshot if its something that i think might be removed.
If permanency is a priority then letting external scripts be responsible for presenting content is not a good idea, especially if the agreement doesn't make any promises about whether content will be permanent, and doubly so if the agreement / terms of service explicitly say they can change the behaviour of their services at any time.
What this probably calls for and maybe something is out there is some service that can embed, archive, and track changes to a tweet or social media post. You'd embed the same way, but the archive will fetch and cache the content. It could then serve up the original version, as well as a timeline of changes.
The right to be forgotten has merit though, and I can see twitter's logic there and probably they're under pressure via GDPR or something. So any archival or cache service would need to take that into account. Various countries and districts have varying laws on what is and isn't official public record too, so it seems like managing that could be the function of a dedicated archival service.
The API contract laid out in their documentation. There’s a screenshot in the post right around there.
The API contract is:
> What happens when an author deletes their Tweet?
The Twitter widgets JavaScript will not display a fully-rendered Tweet if the Tweet no longer exists on Twitter. The fallback <blockquote> containing Tweet information will be visible on the page.
I've never understood why people even wanted to use this. For the styling? So you can just copy some random stuff from Twitter and it looks like Twitter but is also interactive?
Just with the Facebook like-Button, you're exposing your visitors to the tracking of Twitter.
For what? Just so you can quickly copy one snippet and be done with it, instead of manually copying author name, content and link and spending 10 seconds to format this yourself.
I wish I had something constructive to say, but this always seemed like a totally unnecessary "feature" with a lot of downsides. Instead of embedding 280 characters in your website you make it download an order of magnitude more from somewhere else and then execute code to display those characters in a way someone else deems appropriate.
I mean it's fairly easy to understand why people used this.
It's very convenient (just click share or use a WordPress widget to embed tweet), it always look pretty, and there are multiple actions available from the tweet: go to profile, reply, share ...
So more features for less time to set-up. This is a service like all other Service, you usually tradeoff something like privacy for convenience. Why use Dropbox when you can have your own NAS ?
One advantage I've seen people recently point out about using content transclusions in general (where the Twitter widget is an example of such), is that these provide some level of evidence that the transcluded content is really something that exists at the source. Screenshots and other "fetch and burn into the reciever" approaches can be fabricated very easily to create fake news; but it's a bit more of a technical challenge to fabricate a widget such that it appears to be pulling material from a source — especially if there's also a canonical deep-link back to said source embedded in it.
> For what? Just so you can quickly copy one snippet and be done with it, instead of manually copying author name, content and link and spending 10 seconds to format this yourself.
Unfortunately copyright law is not going to be happy with that one. [0] It's insanely complicated, but basically, as things are at the moment, the original poster has a right to retract the publication at any time. You may find yourself in legal hot water if your copy doesn't disappear at the same time as the original.
That is precisely the argument made in Agence France Presse v Morel [0], cited in the article I linked to. One of the statements to come out of that rather drawn out and complicated case is:
> plainly sufficient for the jury to conclude that AFP’s infringement was willful under either an actual knowledge or reckless disregard theory
Assuming that you would be covered under fair use, is a "reckless disregard" for theory if you comprehend the copyright situation at all. These things are very, very, complicated and you cannot simply assume that you have the safety to copy a tweet.
It is for a good reason. The original content of the tweet is preserved and not editorialized. Also Twitter has explicit rules around the display of tweets
The worst example being media organisations. Why would you cede any remaining semblance of journalistic authority by cheaply embedding tweets into a news article. Handpicked commentary from a narrow part of the internet does not constitute an expert opinion, nor does it lend you any credibility. If anything, it lets me know that I’m seeking news in the wrong place. The short term gains, if there are any real ones, seem to be obviously outweighed by the negative impacts to your reputation as a news organisation.
Calling it "altering the public record" is a little hyperbolic imo. If you want to act as a repository for the public record, you better use your own system. Twitter is under no obligation to retain this kind of stuff on your behalf.
I'm not trying to say that this is right or wrong, just that these are the facts of the matter when you engage with a company's code and terms of service.