from Hacker News

Twitter is using its embedded JavaScript to hide tweets that have been deleted

by epeus on 4/6/22, 3:38 AM with 245 comments

  • by tofuahdude on 4/6/22, 6:51 AM

    You don't need to use Twitter's JS to show Tweets. If you choose to use their system, you're subject to their rules. If you don't like their rules, don't use their stuff.

    Calling it "altering the public record" is a little hyperbolic imo. If you want to act as a repository for the public record, you better use your own system. Twitter is under no obligation to retain this kind of stuff on your behalf.

    I'm not trying to say that this is right or wrong, just that these are the facts of the matter when you engage with a company's code and terms of service.

  • by blendergeek on 4/6/22, 12:45 PM

    I see so many people here arguing that by embedding javascript directly from Twitter, you are accepting whatever they choose to make that javascript do. While that is true to an extent, Twitter has provided documentation for this javascript that says that if the Tweet gets deleted, the javascript will simply stop styling your quote of the tweet that you have on your website.

    By changing the behavior of the javascript, without even updating the documentation, Twitter has broken every rule of being a good distributor of third-party code. In a similar vein, any third party code could at any time do any number of malicious things. Just because I didn't pay Twitter for the privilege of running their code and just because I embedded their code in my website does not make it okay for them to start distributing malware to modify my website to their liking.

    There are lots of other malicious things Twitter could have the javascript do. Twitter could start showing ads before and after all quoted tweets. This would also conflict with the documentation and would be malicious.

  • by WatchDog on 4/6/22, 6:33 AM

    Functionality aside embedding random scripts from twitter seems like a big risk for security and privacy.

    At a minimum, it should probably be embedded in a sandboxed iframe.

    Just taking a screenshot, and linking to the tweet, seems like a more robust solution, that won't randomly stop working, and doesn't have the same privacy issues.

  • by car_analogy on 4/6/22, 3:49 AM

    How long until people realize sites like Twitter are actively hostile, and embedding their scripts is equivalent to letting the Trojan horse through your gates?

  • by paxys on 4/6/22, 7:08 AM

    Why not just copy paste or screenshot the Tweet? It's bizarre to reference a script from twitter.com directly in your site's source code and then complain that the script is doing exactly what it is supposed to.

  • by riffic on 4/6/22, 6:23 AM

    fix the title please

    An apostrophe as a possessive marker in its is nonstandard:

    https://en.m.wiktionary.org/wiki/it%27s#Etymology_2

  • by slater on 4/6/22, 3:50 AM

    FYI if you block their JS on third-party sites, it works fine:

    https://i.imgur.com/cb5Lyd5.png

  • by jazzyjackson on 4/6/22, 8:08 AM

    It's a shame there's no better way to preserve a tweet than taking a screenshot -- there's no way to prove that an individual said something, save for perhaps trusting the record on archive.org

    It doesn't have to be this way. Either the individual or the platform could cryptographically sign content to prove that it really happened. I guess Twitter would prefer a plausible deniability. If anyone screenshots you saying something you regret, you can just say it was forged.

  • by thunderbong on 4/6/22, 7:31 AM

    Isn't this the way the internet is supposed to work? If I link to a page and the page is removed, it'll not show, right? Same thing if I were to add that page as an iframe on my site.

    So, IMHO, the title and the post doesn't make any sense. Twitter isn't editing anyone's site. You have chosen to embed some content of Twitter on yours and it is perfectly fine if they chose to remove it.

  • by ki_ on 4/6/22, 8:29 AM

    hmm. Personally i think when u delete a tweet, you should not be able to embed it. If you changed your mind about a tweet, you should be able to decouple it from your account. If people want to refer to tweets, how about a screenshot? It's safer, faster and cant 404 when twitter is down.

    And i think the whole "they edited my page" statement is ridiculous. You EMBED a part of twitter into your page. You know it can change. If you embed a youtube video, and the owner deletes it, it wont play anymore. obviously.

  • by oauea on 4/6/22, 12:36 PM

    So twitter is distributing malware now?

    Malware is defined by Wikipedia as:

    > Malware (a portmanteau for malicious software) is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive users access to information or which unknowingly interferes with the user's computer security and privacy.

    This script distributed by twitter is software intentionally designed to cause a disruption to a server and to deprive users access to information.

  • by ThePhysicist on 4/6/22, 7:29 AM

    Well, any third-party script that you embed on your website can edit your site and do many other nefarious things (key logging, credential stealing, ...). I never got how people can just copy/paste some random JS into their own websites (often without even using integrity tags). Social embeds in particular have turned the web into a surveillance machine for large corporations, as every FB/Twitter/Instagram/... embed tracks users across every web property that has such an embed, and until very recently almost every major website had such embeds.

    Luckily GDPR seems to have a chilling effect on recklessly embedding such stuff without thinking about privacy or security implications. Personally I hope that in a few years third-party embeds will mostly be a thing of the past.

  • by ChrisArchitect on 4/6/22, 5:35 PM

    Don't like the "Twitter Edits You" title of the article. Sensationalist/misleading.

    Tweet embeds are a live link to the Twitter system to show a tweet. To show the actual tweet from the Twitter platform. If the tweet doesn't exist, there's nothing to show. No one said it should maintain some kind of 'copy' of old data on your site.

  • by taspeotis on 4/6/22, 10:19 AM

    I am not particularly upset by this. You choose to embed JavaScript that interoperates with your website to make tweets look like Twitter … Twitter has decided that deleted tweets look like nothing now … that’s what you wanted.

    Apparently the “contract” that Twitter would preserve the text of a deleted tweet was a tweet from some random employee.

  • by WorldMaker on 4/6/22, 6:31 PM

    This seems to me like an improvement for systems that don't have blockquotes in their embedding source (previously the behavior was that if there was no HTML inside the embedding element there was no fallback at all and it was just an empty element) that was an accidental regression.

    I hope they add a simple check if the element has children or not to fix the regression, but I work on an app where some sort of fallback UI for deleted Tweets is a welcome change, even if "blank Tweet card" isn't a huge improvement, it's still a small win to get some hard-to-fix-on-our-side UI complaints off the backlog.

  • by account-5 on 4/6/22, 10:41 AM

    Disclaimer: I'm not a web developer nor a journalist/blogger, whatever.

    My non-expert, likely useless, take on this:

    Don't use Twitter's technology. If you're interested in quoting a tweet to create a public take a screenshot, copy of the text, quote it and provide a link. Simple.

    If part of your post links, or portals, to another site you don't control it's not part of your blog/post/site. Complaining when remote content changes is pointless. You're not capturing what was when you link to remote content managed by someone else you're capturing something live, it's not a public record. It isn't quoting anything.

  • by gumby on 4/6/22, 5:50 PM

    Implicitly, when you quote a tweet you are agreeing to a contract of adhesion (basically a shrink wrap license or "by using this site you agree to our terms"). Twitter even told people that the quoted text would remain.

    Now site ToS usually say that they can change the terms whenever they want. But that's going forward: something you wrote in the past should be under the contemporaneous terms.

    So I wonder if someone could successfully sue under California law. If successful, it would be a great improvement to consumer rights.

  • by bussetta on 4/6/22, 8:15 AM

    Would it have been better if Twitter had announced this change and made the change only for the new tweets and left the existing ones as is?

  • by raverbashing on 4/6/22, 7:58 AM

    * its embedded javascript

    (it is correct on the site itself)

    > That widgets.js script looks for blockquotes with the class="twitter-tweet" on, and replaces them with a Twitter branded iframe to confirm that it is a real tweet

    And that's how most libraries work? I don't see an issue. Yes, if you delete the tweet it seems they changed the behaviour (and that might be an actual bug) but still...

  • by jdrc on 4/6/22, 7:02 AM

    Oh boy wait until you see what adsense does

  • by fay59 on 4/6/22, 7:50 AM

    It kinda sucks, but “tampering with the public record”? Is Twitter liable for holding the public record now?

  • by dheera on 4/6/22, 7:06 AM

    Just screenshot them instead of embedding them.

    If you cared about JS injection why would you embed anything?!

  • by throwuxiytayq on 4/6/22, 9:52 AM

    Why do you people even use Twitter? It's one giant pile of crappy content and dark ux patterns. What did you expect? That they'd play nice forever? Are you really new to this? Did your preschool not have a sandbox?

  • by ec109685 on 4/6/22, 6:33 AM

    This is so stupid on twitter's part. It's obviously easy for publishers to work around by including both the blockquote of the tweet (unadorned), plus the version w/ the twitter embed class.

    End result will be much uglier pages.

  • by dustinmoris on 4/6/22, 7:49 AM

    This is why I never use these iframe widgets. They are not only useless and untrustworthy, they are also damn slow. I take a screenshot of the tweet I want to reference, put it into a bucket behind a CDN and then embed an <img> of the tweet inside an <a> which links back to the tweet. If the tweet gets deleted then the link will break and users will see that the tweet was deleted, but my screenshot stored on my own servers will remain forever and my website will continue to make sense.

    Own your data, own your blogs, own your words, own what you create/write/do on the web. Don't rely on third party services uphold a common sense contract or what most people would expect is the ethical/correct/good thing to do.

  • by rini17 on 4/6/22, 8:16 AM

    Looks we need something server-side to fetch content from twitter/etc. once when article is published and then serve that copy.

    I can see the publishers unhappy and actively obstructing such a solution though.

  • by tester89 on 4/7/22, 3:18 PM

    Someone should probably just come third-party CSS/JS to emulate the tweet look that twitter had without importing twitter's JS.

  • by jdrc on 4/6/22, 10:33 AM

    Are we going to have a lot of similar posts? This sounds like expected bevahiour if you're inserting someone's JavaScript in your page

  • by mlatu on 4/6/22, 7:45 AM

    i'd just boycott using widgets.js

    maybe there should be an open and distributed ACTUAL public record? have we finally found an actual usecase for blockchains?

  • by meatsauce on 4/6/22, 1:45 PM

    Unless you commit and are convicted of an actual crime with your tweet, nothing - absolutely nothing - should result in a blanket ban or deletion of your post. And no, insulting the embedded bloodsuckers that hold congress (and our lives) in an iron grip is not a crime.

    We need to go back to the days when sticks and stones broke bones; when words were correctly not "violence" and that your right to not be insulted existed solely in that self-important (but empty) cavern between your ears.

  • by TomGullen on 4/6/22, 7:37 AM

    BBC website frequently embeds Tweets, wonder how long until we start seeing edits on them to promote websites or something.

  • by iepathos on 4/6/22, 6:48 AM

    The real problem imo is twitter allowing people to delete their tweets at all. They need a no takesy backsies policy.

  • by smokey_circles on 4/6/22, 8:02 AM

    > Tampering with the public record

    Oh come off it already. What a remarkably brain dead opinion.

    Twitter _is not a public utility_. It owes you _nothing_. Their property, their decision. That simple.

    I do have an issue with the idea of their JS manipulating your own website but fuck off with this "Twitter is a public service" argument.

    - They don't have to give you an account

    - You are not entitled to make demands of them

    - You can always use another service

    Goddamned children. Enough already.

  • by peanut_worm on 4/6/22, 3:10 PM

    why dont you just remove the javascript so they appear as blockquotes? seems a bit dramatic. dont think i would expect twitter to show deleted tweets in the first place, id probably just use a screenshot if its something that i think might be removed.

  • by parksy on 4/6/22, 8:33 AM

    If permanency is a priority then letting external scripts be responsible for presenting content is not a good idea, especially if the agreement doesn't make any promises about whether content will be permanent, and doubly so if the agreement / terms of service explicitly say they can change the behaviour of their services at any time.

    What this probably calls for and maybe something is out there is some service that can embed, archive, and track changes to a tweet or social media post. You'd embed the same way, but the archive will fetch and cache the content. It could then serve up the original version, as well as a timeline of changes.

    The right to be forgotten has merit though, and I can see twitter's logic there and probably they're under pressure via GDPR or something. So any archival or cache service would need to take that into account. Various countries and districts have varying laws on what is and isn't official public record too, so it seems like managing that could be the function of a dedicated archival service.

  • by vixen99 on 4/6/22, 8:17 AM

    Should read < its embedded Javascript >

  • by demarq on 4/6/22, 10:33 AM

    > However, Twitter has broken this API contract.

    What contract?

  • by Cgwftsn on 4/6/22, 12:00 PM

    ٥اتعتاقر٧و

  • by iforgotpassword on 4/6/22, 7:19 AM

    I've never understood why people even wanted to use this. For the styling? So you can just copy some random stuff from Twitter and it looks like Twitter but is also interactive?

    Just with the Facebook like-Button, you're exposing your visitors to the tracking of Twitter.

    For what? Just so you can quickly copy one snippet and be done with it, instead of manually copying author name, content and link and spending 10 seconds to format this yourself.

    I wish I had something constructive to say, but this always seemed like a totally unnecessary "feature" with a lot of downsides. Instead of embedding 280 characters in your website you make it download an order of magnitude more from somewhere else and then execute code to display those characters in a way someone else deems appropriate.

  • by Zardoz84 on 4/6/22, 6:53 AM

    Omg... the thing about cited deleted tweets becomin a white glob, gives me some vibes of 1984's "rewriting history".