Tibor MartiniI developed a tool to show you your twitter friends on #mastodon: https://www.movetodon.org/
π All data stays in your browser
π No CSV import neccesary
π List can be sorted by sign-up date, so that you can find new accounts fast
Blubberbub@Tibor
Isn't the claim "All data stays in your browser" kind of misleading?
To me it looks like all the data and access tokens are passed through your server.
Or am I missing something?
The last time I checked, it wasn't possible to do this browser-only, because twitter was missing a simple CORS header π.
@Blubberbub I donβt think CORS headers are a problem, but revealing your secrets is one. The server is only there to hide tokens and pass data, nothing is saved there.
@Tibor
To me "All data stays in your browser" means, that there is no party that could get a hold on my data, even if it wanted to, so no 3rd party to trust. But there is, which I find misleading.
If there would be a CORS header, one could use a "public client" and query the twitter API directly from the browser, truly keeping the data in the browser -but sadly the header is missing.
AppSec stof 
@Blubberbub i think you mean CSP, because CORS is only for those who control both client and server on different origins, and a twitter scenario with CORS would not make sense. CSP however gives us confidence if it defines explicitly what external APIs will work, everything else will be blocked (except plugins)
@stof
No, I mean CORS. Because the twitter API is on a different origin, a header is required to access it from a non-twitter domain in the browser. That header is missing.
https://stackoverflow.com/a/35898961
You can access the twitter API from the browser by using a cors-proxy, that sets that header. (There are some available publicly, I think)
@Blubberbub you're trying to make a point about assurance that data won't leave the browser, CORS provides no such assurance of that no matter how you designed the fetch/xhr to gain it in the first place, thats (CORS) is the opposite direction..