I'm doing some tests with the (deprecated) Twitter API 1.0
For example, I want to get data from the API, client-side using AJAX browser requests from any cross-origin webpage. It can be a new blank tab, a local HTML page or any existing website.
I've tried JSONP, it works great but I would like to use the default XMLHttpRequest even if Twitter servers do not support CORS http://en.wikipedia.org/wiki/Cross-Origin_Resource_Sharing.
On google.com homepage for example, I create a simple AJAX call to Twitter API that I execute with Firebug:
var xhr = new XMLHttpRequest();
xhr.open("GET", "https://api.twitter.com/1/friends/ids.json?screen_name=baptx", false);
xhr.send();
This will not work and print an error on Firebug due to the same origin policy:
Error: Failure
xhr.send();
It returns an HTTP 200 OK code but no JSON data has been received from the server.
I've seen two differences between a request from a google.com webpage and the api.twitter webpage (who works for Twitter API requests since it's the API domain name, same origin).
An Origin HTTP header has been added with the current domain name:
Origin https://www.google.com
The Referer HTTP header is not https://api.twitter.com/ like a request from api.twitter.com page but is in my case:
Referer https://www.google.com/webhp?hl=en
That's why I've tried to remove the Origin HTTP header and modify the current Referer HTTP header to https://api.twitter.com/
I've done this with the Firefox ModifyHeaders extension and it works, I can check in Firebug "Net" tab that those changes were made correctly.
Now, I have the SAME request header from a request coming from google.com webpage and api.twitter.com webpage. It will still fail to do an AJAX request from another domain than the API, even if the HTTP headers are overwritten, why?
By the way, do you know why an AJAX request to Twitter API from Firefox "New Tab" will work?
